Tag: ANDROID

Author:  Tomer Bar, VP Security Research, SafeBreach

SafeBreach Labs researchers are constantly monitoring the hacker underground, sourcing intelligence feeds, and conducting original research to uncover new threats and ensure our Hacker’s Playbook provides the most comprehensive collection of attacks. As part of this ongoing effort, we recently discovered a new targeted attack we believe is compelling for four main reasons: 

It appears to target Farsi-speaking code developers by using a Microsoft Word document that includes a Microsoft Dynamic Data Exchange (DDE) exploit.…
Read More

Earlier this year, [redacted] encountered a relatively new ransomware threat actor that called themselves BianLian. We observed the actor deploying custom malware that was written in the Go programming language, which posed some initial, but not insurmountable, reverse-engineering challenges. 

BianLian used subtle techniques to exploit, enumerate, and move laterally in victim networks to remain undetected and aggressively worked to counter Endpoint Detection & Response (EDR) protections during the encryption phase of their operations.…

Read More

A malicious campaign spreading the information stealer, AgentTesla, began circulating mid-August. The bad actors behind the campaign are going after information about victims’ computers and login credentials stored in browsers.

Phishing emails, sent from spoofed email addresses, with a malicious attachment are being sent to businesses across South America and Europe.…

Read More

Recently, a simple and short email with a suspicious RTF attachment that had been sent to a telecommunications agency in South Asia caught the attention of FortiGuard Labs. The email was disguised as having come from a Pakistan government division and delivered the PivNoxy malware.

Affected Platforms: WindowsImpacted Parties: Windows usersImpact: Controls victim’s machine and collects sensitive informationSeverity Level: Medium

This blog describes how the attack works, suggests who the threat actor behind the operation might be, and details the techniques used by the attacker.…

Read More
Sophisticated XWorm RAT with Ransomware and HNVC Attack Capabilities

During a routine threat-hunting exercise, Cyble research labs discovered a dark web post where a malware developer was advertising a powerful Windows RAT.

Figure 1 – Dark Web Post for XWorm

This post redirected us to the website of the malware developer, where multiple malicious tools are being sold.…

Read More

We found APT group Iron Tiger’s malware compromising chat application Mimi’s servers in a supply chain attack.

We noticed a server hosting both a HyperBro sample and a malicious Mach-O executable named “rshell.” HyperBro is a malware family used by Iron Tiger (also known as Emissary Panda, APT27, Bronze Union, and Luckymouse), an advanced persistent threat (APT) group that has been performing cyberespionage for almost a decade, and there have been no reports of this group associated with a tool for Mac operating systems (OS).…

Read More

In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector.

BumbleBee is a malware loader that was first reported by Google Threat Analysis Group in March 2022. Google TAG attributes this malware to an initial access broker (IAB) dubbed EXOTIC LILY, working with the cybercrime group FIN12/WIZARD SPIDER/DEV-0193.…

Read More
Info Stealer Targeting Browsers and Crypto Wallets

The popularity of Cryptocurrency has increased exponentially over the recent years as dealing with crypto has become relatively hassle-free and more accessible. The financial returns of crypto investments have attracted many investors to invest in crypto markets.

As the demand for crypto investment has increased over the years, we can also see a corresponding rise in the number of crypto wallets.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

HelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research we observed multiple variants impacting Windows and Linux systems. Unlike other ransomware groups, this ransomware family doesn’t have an active leak site; instead it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.…

Read More
Introduction

LuoYu is a lesser-known threat actor that has been active since 2008. It primarily goes after targets located in China, such as foreign diplomatic organizations established in the country, members of the academic community, or companies from the defense, logistics and telecommunications sectors. In their initial disclosures on this threat actor, TeamT5 identified three malware families: SpyDealer, Demsty and WinDealer.…

Read More
ВведениеОбщие сведенияАнализ ВПО и инструментовMyKLoadClientСхема 1Схема 2Тестовый образецПолезная нагрузкаZupdaxПолезная нагрузкаСвязь с RedsipСвязи с Winnti и FF-RATСвязи с Bronze Union и TA428ЗагрузчикиDownloader.Climax.ADownloader.Climax.BRtlShareДроппер rtlstat.dllИнжектор rtlmake.dllПолезная нагрузка rtlmain.dll (rtlmainx64.dll)Использование RtlSharePlugXDemo dropperBH_A006Стадия 0.…
Read More