The ASEC analysis team monitors phishing email threats with the ASEC automatic sample analysis system (RAPIT) and honeypot. This post will cover the cases of distribution of phishing emails during the week from December 18th, 2022 to December 24th, 2022 and provide statistical information on each type.…
Tag: BANK
By Tom Hegel and Aleksandar Milenkoski
Executive SummaryPro-Russia hacktivist group NoName057(16) is conducting a campaign of DDoS attacks on Ukraine and NATO organizations that began in the early days of the war in Ukraine. Targets have included government organizations and critical infrastructure. NoName057(16) was responsible for disrupting services across the financial sector of Denmark this week.…Major drug markets in the Dark Web are now worth around $315 million annually
The Resecurity® Hunter unit performed an extensive analysis of current trends and dynamics related to the underground economy around active DNMs leveraging technical means and human intelligence (HUMINT) sources. Some results of this research (Drug Trafficking in the Dark Web – Status Report – 2022/2023) arranged by our team are provided within this blog post and are aimed to provide awareness for international law enforcement, cybercrime investigators and intelligence professionals. Some…
APT-C-36, also known as Blind Eagle, is a financially motivated threat group that has been launching indiscriminate attacks against citizens of various countries in South America since at least 2018.
In a recent campaign targeting Ecuador based organizations, CPR detected a new infection chain that involves a more advanced toolset.…
Read More By Nati Tal (Guardio Labs)
TL;DRA newly uncovered technique to abuse Google’s ad-words powerful advertisement platform is spreading rogue promoted search results in mass. Pointing to allegedly credible advertisement sites that are fully controlled by threat actors, those are used to masquerade and redirect ad-clickers to malicious phishing pages gaining the powerful credibility and targeting capabilities of Google’s search results.…
BlueNoroff group is a financially motivated threat actor eager to profit from its cyberattack capabilities. We have published technical details of how this notorious group steals cryptocurrency before. We continue to track the group’s activities and this October we observed the adoption of new malware strains in its arsenal.…
We analyze the latest changes in IcedID botnet from a campaign that abuses Google pay per click (PPC) ads to distribute IcedID via malvertising attacks.
After closely tracking the activities of the IcedID botnet, we have discovered some significant changes in its distribution methods. Since December 2022, we observed the abuse of Google pay per click (PPC) ads to distribute IcedID via malvertising attacks.…
Cyble Research & Intelligence Labs (CRIL) investigated a fraudulent operation carried out by impostors posing as Village Level Entrepreneurs (VLEs) to dupe and scam Indian rural subscribers registering for Customer Service Point (Bank Mitra), an initiative under the Common Services Center (CSC) Scheme of the Ministry of Electronics and Information Technology (MEITY), India.…
RAT capable of stealing Credit Card Information
Read More A RAT (Remote Access Trojan) is a tool used by Threat Actors (TAs) to gain full access and remote control of a victim’s machine, including mouse and keyboard control, file access, network resources access, etc.
Cyble Research and Intelligence Labs (CRIL) has been actively monitoring such RATs and blogging about them as and when they emerge.…
Targeting different platforms and introducing Zombinder
Read More The history of the threat landscape has seen several cases of threat actors using Trojans targeting different platforms and systems. This time while analyzing the activity of the Android banking Trojan Ermac, ThreatFabric’s analysts discovered a campaign employing several Trojans, and targeting both Android and Windows users at the same time, in order to reach as much victims as possible.…
ESET researchers discovered a new wiper and its execution tool, both attributed to the Agrius APT group, while analyzing a supply-chain attack abusing an Israeli software developer. The group is known for its destructive operations.
In February 2022, Agrius began targeting Israeli HR and IT consulting firms, and users of an Israeli software suite used in the diamond industry.…
概述
Lazarus组织是疑似具有东北亚背景的APT组织,奇安信威胁情报中心内部追踪编号为APT-Q-1,因2014年攻击索尼影业开始受到广泛关注,其攻击活动最早可追溯到2007年。该组织早期主要针对其他国家政府机构,以窃取敏感情报为目的,但自2014年后,该组织开始以全球金融机构 、虚拟货币交易场等为目标,进行敛财为目的的攻击活动。据公开情报显示,2014 年索尼影业遭黑客攻击事件,2016 年孟加拉国银行数据泄露事件,2017年美国国防承包商、美国能源部门及英国、韩国等比特币交易所被攻击事件都出自Lazarus之手。2021年,Lazarus还开始了针对安全研究人员的新活动【1】。一直以来,木马样本的免杀率都是各个APT组织高度关注的要点,随着杀毒软件的更新迭代,检出方法不断的完善,恶意样本的检出率也随之提高,攻击者为进一步对抗而使用了各种匪夷所思的绕过方法、千奇百怪的免杀方法。近日,奇安信威胁情报中心红雨滴团队在日常的威胁狩猎中便发现Lazarus组织最新的0杀软查杀攻击样本,样本为VHD(虚拟磁盘映像)文件,以日本瑞穗银行(Mizuho Bank)的招聘信息为诱饵进行攻击。
https://www.virustotal.com/gui/file/826f2a2a25f7b7d42f54d18a99f6721f855ba903db7b125d7dea63d0e4e6df64/detection
在发现该攻击活动后,红雨滴团队便第一时间向安全社区进行了预警【2】,并引发国内外安全研究员对该类型样本进行深度探索。A sample seems to be from #APT #Lazarus and uses VHD to deploy malware.Decoy document is about job description for Mizuho Bank.
3ce53609211cae4c925b9fee88c7380e (Job_Description.vhd)931d0969654af3f77fc1dab9e2bd66b1 (exe)31e154e560dff21f07f8aff37be6de9b (dump.bin) pic.twitter.com/8OHNdZkSTq
— RedDrip Team (@RedDrip7) November 23, 2022
样本分析
0x01 VHD虚拟磁盘映像文件
在威胁狩猎过程中,我们并未捕获到初始攻击载荷,结合VHD文件,我们猜测初始攻击载荷应该是鱼叉攻击邮件,通过邮件中的附件诱骗受害者点击打开VHD文件。在实际的环境中,Win7系统并不支持直接打开该类文件,因此该样本可能主要针对高版本Windows系统。
通常情况下,Windows操作系统都会隐藏受保护的操作系统文件,Lazarus组织正是利用这一特性:在Win10系统中直接打开VHD文件,仅可见一个名为Job_Description.exe的文件。并且攻击者还对该exe文件进行了伪装:…This blog post was authored by Jérôme Segura
Black Friday is the annual kick off to the shopping season for brick and mortar and online retailers. However, it’s not just businesses that rejoice in seeing the afflux of customers wanting to spend money. Scammers are waiting around the corner ready to take advantage of the situation in any way they can.…
HighlightsCheck Point Research found a sharp increase in fake shopping related websites in the run up to Black Friday sales.
17% of all malicious files distributed by email in November were related to orders/deliveries and shipping.
Since the start of this month, 4% of all new shopping related websites found to be malicious.…
Read More Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.
This report analyzes the threat landscape ahead of the 2022 FIFA World Cup hosted in Qatar that begins on November 20, 2022.…
A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic.
The Disneyland Team’s Web interface, which allows them to interact with malware victims in real time to phish their login credentials using phony bank websites.…
Threat Actor leveraging SMSeye stealer to Bypass 2FA
Read More Online banking is convenient as it allows users to make money transfers, bill payments, verify their balance, and access accounts 24/7 at their fingertips. Like regular online banking customers, cybercriminals also benefit from online banking by committing financial fraud using various scams.…
11/07: Updated article to provide clarity around hunting techniques
Key points from our research:
Following our reporting on Robin Banks in July, Cloudflare disassociated Robin Banks phishing infrastructure from its services, causing a multi-day disruption to operations. In response, Robin Banks administrators made several changes, including relocating its infrastructure to a notorious Russian provider and changing features of its kits to be more evasive.…By Nati Tal (Guardio Labs) — BadEx II
TL;DRThe “Dormant Colors” is yet another vast campaign of malicious extensions with millions of active installations worldwide, this time with a color-related theme and full of deception all through the chain. It starts with the trickery malvertising campaign, continues with a crafty novel way to side-load the real malicious code without anyone noticing (until now!),…
This post is also available in: 日本語 (Japanese)
Executive SummaryIn May 2021, Palo Alto Networks launched a proactive detector employing state-of-the-art methods to recognize malicious domains at the time of registration, with the aim of identifying them before they are able to engage in harmful activities.…