During a routine threat-hunting exercise, Cyble research labs discovered a dark web post where a malware developer was advertising a powerful …
Search Results for: play
On August 8, CheckPoint published a report on ten malicious Python packages in the Python Package Index (PyPI), the most popular Python repository among software developers. The malicious packages were …
CVE-2022-30190 (aka Follina) is a 0-day vulnerability that was disclosed on Twitter last May 27th by the nao_sec Cyber Security Research Team. According to their announcement, this vulnerability was found …
DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans …
On Saturday, August 13th, Checkmarx’s Software Supply Chain Security Typosquatting engine detected a large-scale attack on the Python ecosystem with multi-stage persistent malware.
The PyPi user account devfather777 published a …
During a routine threat hunting exercise, Cyble Research Labs (CRL) came across a Twitter post wherein researchers mentioned a URL that hosts a Windows …
The DoNot Team (a.k.a APT-C-35) are advanced persistent threat actors who’ve been active since at least 2016. They’ve targeted many attacks against individuals and organizations in South Asia. DoNot are …
This post is also available in: 日本語 (Japanese)
Executive SummaryBeginning in early May 2022, Unit 42 observed a threat actor deploying Cuba Ransomware using novel tools and techniques. Using …
In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector.
BumbleBee is a malware loader that was first reported by Google Threat Analysis Group …
In July 2022, the CrowdStrike Intelligence Advanced Research Team hosted the second edition of our Adversary Quest. As in the previous year, this “capture the flag” event featured 12 information …
The ASEC analysis team has discovered the continuous distribution of malicious Word files with North Korea-related materials. The types of discovered Word files included the one discussed in the “Overall …
The popularity of Cryptocurrency has increased exponentially over the recent years as dealing with crypto has become relatively hassle-free and more accessible. The …
This blog entry offers a technical analysis of a new SolidBit variant that is posing as different applications to lure gamers and social media users. The SolidBit ransomware group appears …
Industrial Spy is a relatively new ransomware group that emerged in April 2022. In some instances, the threat group appears to only exfiltrate and ransom data, while in other cases …
A few months ago, we reported on an interesting site called the Chameleon Phishing Page. These websites have the capability to change their background and logo depending on the user’s domain. …
July 28, 2022
Volexity tracks a variety of threat actors to provide unique insights and …
During a routine threat-hunting exercise, Cyble Research Labs discovered an unknown Rust-based stealer, which we have dubbed “Luca Stealer.” The source code of this stealer …
Our X-Ops teams – SophosLabs, SecOps (Sophos Managed Threat Response [MTR] and Sophos Rapid Response), and Sophos AI – operate in a virtuous Observe-Orient-Decide-Act loop, building on each teams’ work …
Fraudsters have long been leveraging the shady corners of the internet to place malicious adverts, leading users to various scams. However, every now and again we see a campaign that …
Fortinet’s FortiGuard Labs captured a phishing email as part of a phishing campaign spreading a new variant of QakBot. Also known as QBot, QuackBot, or Pinkslipbot, QakBot is an information …
日前,安天副总工程师李柏松接受《环球时报》记者的采访,披露了安天CERT近期发现的印度APT组织“Confucius”,及其针对巴基斯坦政府、军事机构的攻击活动(环球网文章详见今日第二条转载文章)。本篇为详细分析报告。
01 概述近期,安天CERT在对来自南亚次大陆方向的攻击事件进行追踪和梳理时,发现一起Confucius组织针对巴基斯坦政府、军事机构的攻击活动。
该组织的命名最早出自国外安全厂商Palo Alto Networks在2016年发布的分析报告[1],在该报告中,Palo Alto Networks披露了一个印度攻击组织的攻击活动,该组织攻击活动最早可追溯至2013年,其擅长使用鱼叉式钓鱼邮件、水坑攻击以及钓鱼网站,配合丰富的社会工程学手段对中国、巴基斯坦、孟加拉国等印度周边国家政府、军事、能源等领域开展以窃取敏感资料为目的的攻击活动。该组织在早期攻击活动中,曾借助具备留言互动功能的国际知名网站(例如Quora,类似我国的知乎),在公开的留言中夹带经过加密编码处理的木马远控服务器地址。该组织使用的木马被植入受害主机后,可从这类公开留言中获取内容,解密还原真正远控服务器地址。因此,木马在受害主机的首次网络访问行为会被视为正常的网页请求,而攻击者却可以借助这些国际知名网站持续更换远控地址或下发其他指令。Palo Alto Networks在相关恶意代码连接的一个Quora页面中,发现攻击者张贴的内容有“Confucius says”字样,即“孔夫子说”,或“子曰”,于是把这个组织称为Confucius。可见攻击者持续攻击中国过程中,也对中国的文化进行了研究。
在安天CERT发现的本次攻击活动中,该组织主要伪装成巴基斯坦政府工作人员向目标投递鱼叉式钓鱼邮件,通过钓鱼邮件内容诱骗目标下载、打开嵌入恶意宏代码的文档,从而向目标机器植入开源木马QuasarRAT、自研C++后门木马、C#窃密木马以及JScript下载者木马。
目前,该起攻击活动已引起巴基斯坦政府相关部门注意,其中巴基斯坦国家电信和信息技术安全委员会(NTISB)多次发出全国网络威胁预警[2][3],称攻击者正在向政府官员和公众发送模仿巴基斯坦总理办公室的虚假网络钓鱼电子邮件,因此要求政府官员和公众保持警惕,不要通过电子邮件和社交媒体链接提供任何信息。 本报告对从2021年至今的Confucius组织攻击活动、手法和工具做一定程度的总结,整体活动的特征可简要总结如下表:表1‑1 整体攻击活动特征总结
攻击时间
2021年至今
攻击意图
持续控制、窃密
针对目标
巴基斯坦
针对行业/领域
政府、军事机构
攻击手法
鱼叉邮件、钓鱼网站、利用第三方云存储服务存放恶意载荷
目标系统平台…
Cyble Research Labs discovered a new Remote Access Trojan (RAT) dubbed ApolloRAT. The RAT is written in Python and uses Discord as its Command …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 continuously hunts for new and unique malware samples that match known advanced persistent threat (APT) patterns and tactics. …
DarkComet is a Remote Access Trojan (RAT) application that may run in the background and silently collect information about the system, connected users, and network activity.
It may attempt to …
Raccoon Stealer was one of the most prolific information stealers in 2021, being used by multiple cybercriminal actors. Due to its wide stealing capabilities, the customizability of the malware and …
Since the last quarter of 2020 MuddyWater has maintained a “long-term” infection campaign targeting Middle East countries. We have gathered samples from November 2020 to January 2022, and due to …
ToddyCat is a relatively new APT actor that we have not been able to relate to other known actors, responsible for multiple sets of attacks detected since December 2020 against …
This blog post was authored by Jérôme Segura
We have seen and heard less buzz about ‘Magecart’ during the past several months. While some marketing playbooks continue to rehash the …
FortiGuard Labs has encountered version 3.0 of what is now dubbed IceXLoader, a new malware loader being advertised in malware hacking forums.
IceXLoader is a commercial malware used to download …
Author: S2W TALON
Last Modified : 2022.06.16.
Photo by Gary Bendig on Unsplash Executive Summary On March 25, 2022, the operator of Raccoon Stealer, who was active on the dark…We found updated samples of the CopperStealer malware infecting systems via websites hosting fake software.
We noticed a new version of CopperStealer and analyzed these samples to be related to …
During the course of our work at Confiant, we see malicious activity on a daily basis. What matters the most for us is the …
Tech support scams follow a simple business model that has not changed much over the years. After all, why change a recipe that continues to yield large profits.
We see …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat …
This post is also available in: 日本語 (Japanese)
Executive SummaryHelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research we observed multiple …
This research is a joint effort between Joakim Kennedy, Security Researcher at Intezer, and the BlackBerry Research & Intelligence Team. It can be found on the Intezer blog here as …
This research was conducted by Ross Inman (@rdi_x64) and Peter Gurney from NCC Group Cyber Incident Response Team. You can find more here Incident Response – NCC Group
tl;drThis blog …
Research by: Alexey Bukhteyev & Raman Ladutska
In July 2021, CPR released a series of three publications covering different aspects of how the Formbook and XLoader malware families function. We …
Fortinet’s FortiGuard Labs captured a phishing campaign that delivers three fileless malware onto a victim’s device. Once executed, they are able to control and steal sensitive information from that device …
Trustwave SpiderLabs in early April observed a Grandoreiro malware campaign targeting bank users from Brazil, Spain, and Mexico. The campaign exploits the tax season in target countries by sending out …
Black Basta Besting Your Network?
first appeared in April 2022. To date, this group has claimed attribution of 29 different victims across multiple industries using a double extortion strategy where …
Given the current fluctuations in the energy market and the related rise in prices to consumers, it should be no surprise that threat actors are using lures to exploit the …
Update 05.27.22: An unknown APT group is targeting Russian government entities with at least four separate spear-phishing campaigns since the beginning of the Ukraine conflict. Source: Security Affairs.
It’s not often …
In the past two months, we observed multiple APT groups attempting to leverage the Russia and Ukraine war as a lure for espionage operations. It comes as no surprise that …
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
cybercriminal group ITG23, also known as Wizard Spider, DEV-0193, or simply the “Trickbot Group”. The results of this research, along with evidence gained …