By Tom Hegel and Aleksandar Milenkoski
Executive Summary Pro-Russia hacktivist group NoName057(16) is conducting a campaign of DDoS attacks on Ukraine and NATO organizations that began in the early days of the war in Ukraine. Targets have included government organizations and critical infrastructure. NoName057(16) was responsible for disrupting services across the financial sector of Denmark this week.…Tag: ANDROID
Major drug markets in the Dark Web are now worth around $315 million annually
The Resecurity® Hunter unit performed an extensive analysis of current trends and dynamics related to the underground economy around active DNMs leveraging technical means and human intelligence (HUMINT) sources. Some results of this research (Drug Trafficking in the Dark Web – Status Report – 2022/2023) arranged by our team are provided within this blog post and are aimed to provide awareness for international law enforcement, cybercrime investigators and intelligence professionals. Some…
The Wordfence Threat Intelligence team continually monitors trends in the attack data we collect. Occasionally an unusual trend will arise from this data, and we have spotted one such trend standing out over the Thanksgiving holiday in the U.S. and the first weekend in December. Attack attempts have spiked for vulnerabilities in two plugins.…
Cybercriminals exploiting World Cup buzz to conduct malicious campaigns
Read More
The 22nd FIFA World Cup launched in Qatar on November 20th, 2022, with 32 teams battling for the trophy. With fans around the world excited about the World Cup and cheering on their favorite team, Threat Actors (TAs) are actively also taking advantage of it and using FIFA as a theme in their malicious campaigns targeting unsuspecting victims.…
Authored by SangRyol Ryu and Yukihiro Okutomi
McAfee’s Mobile Research team recently analyzed new malware targeting mobile payment users in Japan. The malware which was distributed on the Google Play store pretends to be a legitimate mobile security app, but it is in fact a payment fraud malware stealing passwords and abusing reverse proxy targeting the mobile payment services.…
Targeting different platforms and introducing Zombinder
Read More
The history of the threat landscape has seen several cases of threat actors using Trojans targeting different platforms and systems. This time while analyzing the activity of the Android banking Trojan Ermac, ThreatFabric’s analysts discovered a campaign employing several Trojans, and targeting both Android and Windows users at the same time, in order to reach as much victims as possible.…
LodaRAT samples were deployed alongside other malware families, including RedLine and Neshta.
Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild.
Changes in these LodaRAT variants include new functionality allowing proliferation to attached removable storage, a new string encoding algorithm and the removal of “dead” functions
A relatively unknown VenomRAT variant named S500 has been observed deploying LodaRAT.…
Read More
Threat Actor leveraging SMSeye stealer to Bypass 2FA
Read More
Online banking is convenient as it allows users to make money transfers, bill payments, verify their balance, and access accounts 24/7 at their fingertips. Like regular online banking customers, cybercriminals also benefit from online banking by committing financial fraud using various scams.…
This report provides defenders and security operations center teams with the technical details they need to know should they encounter the DeimosC2 C&C framework.
Introduction With the rise in attention to Cobalt Strike from network defenders, attackers have been looking to alternative command-and-control (C&C) frameworks Among these, Brute Ratel and Sliver are growing in popularity, having recently been featured in a number of publications.…While performing routine security research, one of our threat analysts discovered the latest version of a Command and Control (C2) script, which is referred to as F-Automatical within the script’s code and was commonly known as FoxAuto in older versions. This is the seventh version of this automatic C2 script that is developed and distributed by a threat group called Anonymous Fox.…
This post is also available in: 日本語 (Japanese)
Executive SummaryIn May 2021, Palo Alto Networks launched a proactive detector employing state-of-the-art methods to recognize malicious domains at the time of registration, with the aim of identifying them before they are able to engage in harmful activities.…
Minutes make the difference to defenders in responding to a ransomware attack on a victim’s network. BianLian ransomware raises the cybercriminal bar by encrypting files with exceptional speed.
Threat actors built the new BianLian ransomware in the Go programming language (aka Golang). Despite the large size of files created in Go, threat actors are turning to this “exotic” programming language more often for a variety of reasons, particularly its robust support for concurrency.…
The parasitic Water Labbu capitalizes on the social engineering schemes of other scammers, injecting malicious JavaScript code into their malicious decentralized application websites to steal cryptocurrency.
We discovered a threat actor we named Water Labbu that was targeting cryptocurrency scam websites. Typically, cryptocurrency scammers use social engineering techniques, interacting with victims to gain their trust and then manipulating them into providing the permissions needed to transfer cryptocurrency assets.…
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.
This report details multiple campaigns conducted by the likely Chinese state-sponsored threat activity group TA413. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis.…
Application abuses Windows Defender Executable to perform DLL Sideloading
Read More
During a routine threat hunting exercise, Cyble Research and Intelligence Labs (CRIL) identified a fake Telegram website masquerading as a legitimate website that downloads a malicious installer. This installer abuses the Windows Defender application to perform RAT operations.…
Scammers impersonating National Tax Agency to steal V-Preca Card details
Read More
During our routine threat-hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across a Twitter post wherein a researcher mentioned a new phishing campaign imitating the page of the National Tax Agency, which targets Japanese users by tricking users into sharing sensitive information with Threat Actors (TAs).…
Secureworks® Counter Threat Unit™ (CTU) analysis of a June 2022 ransomware incident revealed details about Iranian COBALT MIRAGE threat group operations. Despite CTU™ researchers publicly disclosing COBALT MIRAGE tactics, techniques, and procedures (TTPs) in May 2022, the threat actors continue to demonstrate many of the same behaviors.…
This post is also available in: 日本語 (Japanese)
Executive SummaryIn early August, Unit 42 researchers discovered attacks leveraging several vulnerabilities in devices made by D-Link, a company that specializes in network and connectivity products. The vulnerabilities exploited include:
CVE-2015-2051: D-Link HNAP SOAPAction Header Command Execution Vulnerability CVE-2018-6530: D-Link SOAP Interface Remote Code Execution Vulnerability CVE-2022-26258: D-Link Remote Command Execution Vulnerability CVE-2022-28958: D-Link Remote Command Execution VulnerabilityIf the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks.…
While conducting our routine threat hunting exercises, Cyble Research and Intelligence Labs (CRIL) came across instances of the PowerShell Empire command and control (C&C) infrastructure. The PowerShell Empire is a post-exploitation red teaming tool used for creating stagers that connect to C&C servers after an initial compromise through vectors such as phishing emails, exploiting public-facing IT systems, and watering hole attacks, etc.…
Author: Tomer Bar, VP Security Research, SafeBreach
SafeBreach Labs researchers are constantly monitoring the hacker underground, sourcing intelligence feeds, and conducting original research to uncover new threats and ensure our Hacker’s Playbook provides the most comprehensive collection of attacks. As part of this ongoing effort, we recently discovered a new targeted attack we believe is compelling for four main reasons:
It appears to target Farsi-speaking code developers by using a Microsoft Word document that includes a Microsoft Dynamic Data Exchange (DDE) exploit.…