This blog entry discusses the more technical details on the most recent tools, techniques, and procedures (TTPs) leveraged by the Earth Preta APT group, and tackles how we were able …
Search Results for: lv
Information stealer (or infostealer) is a malware family designed to gather and exfiltrate sensitive information from the infected host. This threat became widespread over the past few …
Identifying Connected Infrastructure and Management Activities
Introduction
This blog post seeks to build on recent public reporting on campaigns attributed to SideCopy, a Pakistani-linked threat group. SideCopy has been active …
Trustwave SpiderLabs uncovered a new strain of malware that it dubbed Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.…
Last February a Blackberry report alluded to one of APT-C-36 campaigns (Blind Eagle). The APT-C-36 group has many similarities in terms of tactics, techniques and procedures (TTPs) with the group …
Ransomware is a significant threat that can encrypt its victims’ files and demand a ransom. Additionally, the Threat Actors (TAs) responsible …
Find out how the Managed XDR team uncovered RedLine Stealer’s evasive spear-phishing campaign that targets the hospitality industry.
Recently, we noticed a spike in the number of emails received by …
We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware …
In January 2023, through our Dark Web monitoring routine, Sekoia.io identified a new information stealer advertised as Stealc by its alleged developer, going by the handle …
Resecurity® has identified a relatively new ransomware family called “Nevada Ransomware”. The actors behind this new project have an affiliate platform first introduced on the RAMP underground community, which is …
At the end of November 2022, experts from Bitdefender Labs started to notice an increase in attacks using ProxyNotShell/OWASSRF exploits chains to target on-premises Microsoft Exchange deployments. SSRF attacks on …
The Amadey bot is a Trojan that was first discovered in 2018 and is used to steal sensitive information from the …
We discovered an active campaign ongoing since at least mid-2022 which uses Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) to infect victims across the Middle East …
2022年10月21日,360Netlab的蜜罐系统捕获了一个通过F5漏洞传播,VT 0检测的可疑ELF文件ee07a74d12c0bb3594965b51d0e45b6f,流量监控系统提示它和IP45.9.150.144产生了SSL流量,而且双方都使用了伪造的Kaspersky证书,这引起了我们的关注。经过分析,我们确认它由CIA被泄露的Hive项目server源码改编而来。这是我们首次捕获到在野的CIA HIVE攻击套件变种,基于其内嵌Bot端证书的CN=xdr33, 我们内部将其命名为xdr33。关于CIA的Hive项目,互联网中有大量的源码分析的文章,读者可自行参阅,此处不再展开。
概括来说,xdr33是一个脱胎于CIA Hive项目的后门木马,主要目的是收集敏感信息,为后续的入侵提供立足点。从网络通信来看,xdr33使用XTEA或AES算法对原始流量进行加密,并采用开启了Client-Certificate Authentication模式的SSL对流量做进一步的保护;从功能来说,主要有beacon,trigger两大任务,其中beacon是周期性向硬编码的Beacon C2上报设备敏感信息,执行其下发的指令,而trigger则是监控网卡流量以识别暗藏Trigger C2的特定报文,当收到此类报文时,就和其中的Trigger C2建立通信,并等待执行下发的指令。
功能示意图如下所示:
Hive使用BEACON_HEADER_VERSION宏定义指定版本,在源码的Master分支上,它的值29,而xdr33中值为34,或许xdr33在视野之外已经有过了数轮的迭代更新。和源码进行对比,xdr33的更新体现在以下5个方面:
添加了新的CC指令 对函数进行了封装或展开 对结构体进行了调序,扩展 Trigger报文格式 Beacon任务中加入CC操作xdr33的这些修改在实现上来看不算非常精良,再加上此次传播所所用的漏洞为N-day,因此我们倾向于排除CIA在泄漏源码上继续改进的可能性,认为它是黑产团伙利用已经泄漏源码魔改的结果。考虑到原始攻击套件的巨大威力,这绝非安全社区乐见,我们决定编写本文向社区分享我们的发现,共同维护网络空间的安全。
我们捕获的Payload的md5为ad40060753bc3a1d6f380a5054c1403a,它的内容如下所示:
代码简单明了,它的主要目的是:
1:下载下一阶段的样本并将其伪装成/command/bin/hlogd。
2:安装logd服务以实现持久化。
我们只捕获了一个X86 架构的xdr33样本,它的基本信息如下所示:
MD5:ee07a74d12c0bb3594965b51d0e45b6f ELF 32-bit LSB executable, Intel…Major drug markets in the Dark Web are now worth around $315 million annually
The Resecurity® Hunter unit performed an extensive analysis of current trends and dynamics related to the …
In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment …
Deriving Threat Actor TTPs from Management Infrastructure Tracking
You can find our previous work on Stage 1 and Stage 2 of IcedID’s initial infection chain in our Dragons News Blog. …
This year, various ransomware-as-a-service groups have developed versions of their ransomware in Rust, including Agenda. Agenda’s Rust variant has targeted vital industries like its Go counterpart. In this blog, we …
ESET researchers discovered a new wiper and its execution tool, both attributed to the Agrius APT group, while analyzing a supply-chain attack abusing an Israeli software developer. The group is …
The 2022 holiday shopping season is here. Retailers’ discounts are kicking off early, and shoppers are eager to spend, especially with big price markdowns to come as the season progresses. …
Through the AhnLab ASD infrastructure’s history of blocking suspicious ransomware behavior, the ASEC analysis team has identified the distribution of Wiki ransomware, which has been determined to be a variant …
In the past, I already found some script-based ransomware samples written in Python or Powershell[1]. The last one I found was only a “proof-of-concept” (my guess) but it demonstrates how easy …
Our honeypots caught malicious cryptocurrency miner samples targeting the cloud and containers, and its routines are reminiscent of the routines employed by cybercriminal group TeamTNT, which was said to have …
Cyble Research and Intelligence Labs (CRIL) has continuously monitored phishing campaigns that distribute different malware families. Recently, CRIL spotted an adult website, distributing …
Avast releases a MafiaWare666 ransomware decryption tool. MafiaWare666 is also known as JCrypt, RIP Lmao, BrutusptCrypt or Hades.
Skip to how to use the MafiaWare666 ransomware decryptor.
MafiaWare666’s BehaviorMafiaWare666 …
During our routine threat-hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across a Twitter post wherein a researcher mentioned …
It has now been six months since the war in Ukraine began. Since then, pro-Russian and pro-Ukrainian hacker groups, like KillNet, Anonymous, IT Army of Ukraine, Legion Spetsnaz RF, have …
Following the recent Twilio hack leading to the leakage of 2FA (OTP) codes, cybercriminals continue to upgrade their attack arsenal to orchestrate advanced phishing campaigns targeting users worldwide. Resecurity has …
Summary
We analyzed a new version of ChromeLoader (also known as Choziosi Loader) that was seen in the wild in recent weeks.
This ChromeLoader campaign that appears to have started …
Introduction
Recently Zscaler ThreatLabz observed a Grandoreiro campaign targeting organizations in the Spanish-speaking nations of Mexico and Spain that work across a variety of different industry verticals such as Automotive, …
Onyx ransomware was initially identified by researchers in mid-April 2022. The ransomware group uses the double extortion technique to target its victims where it …
In late August 2020, we published an overview of DeathStalker’s profile and malicious activities, including their Janicab, Evilnum and PowerSing campaigns (PowerPepper was later documented in 2020). Notably, we exposed …
Summary
Symbiote is a Linux threat that hooks libc and libpcap functions to hide the malicious activity. The malware hides processes and files that are used during the activity by …
Our X-Ops teams – SophosLabs, SecOps (Sophos Managed Threat Response [MTR] and Sophos Rapid Response), and Sophos AI – operate in a virtuous Observe-Orient-Decide-Act loop, building on each teams’ work …
Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. Like other malware strains, it …
Rootkits are dangerous pieces of malware. Once in place, they are usually really hard to detect. Their code is typically more challenging to write than other malware, so developers resort …
This research is a joint effort between Joakim Kennedy, Security Researcher at Intezer, and the BlackBerry Research & Intelligence Team. It can be found on the Intezer blog here as …
Update 05.27.22: An unknown APT group is targeting Russian government entities with at least four separate spear-phishing campaigns since the beginning of the Ukraine conflict. Source: Security Affairs.
It’s not often …
Nokoyawa is a new Windows ransomware that appeared earlier this year. The earliest samples collected by FortiGuard researchers were compiled in February 2022 and share substantial code similarities with Karma, …
This post is also available in: 日本語 (Japanese)
Executive SummaryEmotet is one of the most prolific email-distributed malware families in our current threat landscape. Although a coordinated law enforcement …
Published On : 2022-05-12
Onyx Ransomware ReportSuspected Malware: onyx RansomwareFunction: RansomwareRisk Score: 8Confidence Level: HighThreat actor Associations: Unknown
Executive Summary:The activity of new ransomware named “Onyx” was first …
We all know vulnerabilities have a lifecycle. First, they start as closely held secrets, hopefully known to the company producing the vulnerable software. After becoming publically known, there is often …
Update May 11th: Following the publication of this blog post, a penetration testing company called “Code White” took responsibility for this dependency confusion attack
The JFrog Security research team constantly …
In late January 2022, ThreatLabz identified an updated version of Conti ransomware as part of the global ransomware tracking efforts. This update was released prior to the massive leak of …