This post is also available in: 日本語 (Japanese)

Executive Summary

On March 4, 2019, one of the most well-known keyloggers used by criminals, called Agent Tesla, closed up shop due to legal troubles. In the announcement message posted on the Agent Tesla Discord server, the keylogger’s developers suggested people switch over to a new keylogger: “If you want to see a powerful software like Agent Tesla, we would like to suggest you OriginLogger.…

Read More

This blog entry details how Trend Micro Cloud One™ – Workload Security and Trend Micro Vision One™ effectively detected and blocked the abuse of the CVE-2020-14882 WebLogic vulnerability in affected endpoints.

We have recently observed malicious actors exploiting both recently disclosed and older Oracle WebLogic Server vulnerabilities to deliver cryptocurrency-mining malware.…

Read More
Key TakeawaysArctic Wolf Labs assesses with medium confidence that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access Lorenz waited nearly a month after obtaining initial access to conduct additional activity Lorenz exfiltrated data via FileZilla Encryption was done via BitLocker and Lorenz ransomware on ESXi Lorenz employed a high degree of Operational Security (OPSEC) Ransomware groups continue to use Living Off the Land Binaries (LOLBins) and gaining access to 0day exploits Process and PowerShell Logging can significantly aid incident responders and potentially help decrypt encrypted filesBackground

The Arctic Wolf Labs team recently investigated a Lorenz ransomware intrusion, which leveraged a Mitel MiVoice VoIP appliance vulnerability (CVE-2022-29499) for initial access and Microsoft’s BitLocker Drive Encryption for data encryption.…

Read More
Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations. Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan.…
Read More

Found in Environments Protected By: Microsoft

By Andy Mann and Dylan Main, Cofense Phishing Defense Center

Analysts at the Cofense Phishing Defense Center (PDC) have recently analyzed an email asking users to download a “Proof of Payment” as well as other documents. While it is important to never click on the link(s) or download the attachment(s) of any suspicious email, if the recipient interacts with the link, it downloaded the malware Lampion.…

Read More
Key TakeawaysIn mid-2022, TA453 deployed a social engineering impersonation technique informally called Multi-Persona Impersonation in which the threat actor uses at least two actor-controlled personas on a single email thread to convince targets of the legitimacy of the campaign. This is an intriguing technique because it requires more resources be used per target—potentially burning more personas—and a coordinated approach among the various personalities in use by TA453.…
Read More
Cisco Talos has discovered a new remote access trojan (RAT) we’re calling “MagicRAT,” developed and operated by the Lazarus APT group, which the U.S. government believes is a North Korean state-sponsored actor. Lazarus deployed MagicRAT after the successful exploitation of vulnerabilities in VMWare Horizon platforms. We’ve also found links between MagicRAT and another RAT known as “TigerRAT,” disclosed and attributed to Lazarus by the Korean Internet & Security Agency (KISA) recently.…
Read More
Delivers Payload Using Post Exploitation Framework

During our routine threat-hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across a Twitter post wherein a researcher mentioned an interesting infection chain of the Bumblebee loader malware being distributed via spam campaigns.

Bumblebee is a replacement for the BazarLoader malware, which acts as a downloader and delivers known attack frameworks and open-source tools such as Cobalt Strike, Shellcode, Sliver, Meterpreter, etc.…

Read More
c285eaea0fe441f550479f7ef85a3dd0MD5 hashMalicious RAR file containing PlugX (Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.rar)41d61af1d61d6e1c4718132e64268005ce362b36SHA1 hashMalicious RAR file containing PlugX (Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.rar)4cd7d84e464a2786446df623629aa7e2e6c776c9a870278eb39b54c5fba05044SHA256 hashMalicious RAR file containing PlugX (Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.rar)…
Read More

By Aleksandar Milenkoski & Jim Walter

We observe a new trend on the ransomware scene – intermittent encryption, or partial encryption of victims’ files. This encryption method helps ransomware operators to evade detection systems and encrypt victims’ files faster. We observe that ransomware developers are increasingly adopting the feature and intensively advertising intermittent encryption to attract buyers or affiliates.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

In early August, Unit 42 researchers discovered attacks leveraging several vulnerabilities in devices made by D-Link, a company that specializes in network and connectivity products. The vulnerabilities exploited include:

CVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability CVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability CVE-2022-26258: D-Link Remote Command Execution Vulnerability CVE-2022-28958: D-Link Remote Command Execution Vulnerability

If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks.…

Read More

Summary: ThreatLabz observed an update to the Ares banking trojan that introduces a domain generation algorithm (DGA), which mirrors the Qakbot DGA. Based on analyzing the malware code, there does not appear to be a direct link between these two malware families. The Ares DGA may be an effort for the threat actor to maximize the lifetime of an infection, which provides more opportunities for monetizing compromised systems through attacks such as wire fraud and ransomware.…

Read More