Key TakeawaysCyble Research and Intelligence Labs (CRIL) encountered a RAR archive file that could propagate through adult websites or fake adult sites, etc. In this malware campaign, Threat Actors (TAs) exploit a vulnerability in WinRAR (CVE-2023-38831) to distribute their malicious payloads onto the systems of their victims.…
Read More
Introduction

As long as cybercriminals want to make money, they’ll keep making malware, and as long as they keep making malware, we’ll keep analyzing it, publishing reports and providing protection. Last month we covered a wide range of cybercrime topics. For example, we published a private report on a new malware found on underground forums that we call ASMCrypt (related to the DoubleFinger loader).…

Read More

What Happened? 

In July 2023, our scanners detected nontypical commits to hundreds of GitHub repositories appear to be contributed by Dependabot and carrying malicious code.  Those commit messages were fabricated by threat actors to appear as a Dependabot automated contribution in the commit history, an attempt to disguise the malicious activity   After reaching out and talking to some of the victims who got compromised, we can confirm that the victims’ GitHub personal access token was stolen and used by the attackers to contribute those malicious code contributions. …
Read More

Published On : 2023-09-29

EXECUTIVE SUMMARY

At CYFIRMA, our commitment is to furnish you with the latest insights into prevalent threats and strategies employed by malicious actors, aiming at both organizations and individuals. This report provides a comprehensive analysis of “The-Murk-Stealer;” an open-source stealer, shedding light on its functionalities and capabilities.…

Read More
Key takeawaysCyble Research and Intelligence Labs (CRIL) recently came across a new stealer called “Exela”. Exela is a Python-based open-source stealer that steals a wide range of sensitive information from compromised systems. It features an extensive array of anti-debugging and anti-virtual machine (VM) techniques, making it a potent tool for Threat Actors (TAs).…
Read More

Volexity has identified several long-running and currently active campaigns undertaken by the threat actor Volexity tracks as EvilBamboo (formerly named Evil Eye) targeting Tibetan, Uyghur, and Taiwanese individuals and organizations. These targets represent three of the Five Poisonous Groups of Chinese Communist Party (CCP).

Volexity has tracked the activities of EvilBamboo for more than five years and continues to observe new campaigns from this threat actor.…

Read More
SUMMARY

Secureworks® Counter Threat Unit™ (CTU) analysis indicates that the GOLD MELODY threat group acts as an initial access broker (IAB) that sells access to compromised organizations for other cybercriminals to exploit. This financially motivated group has been active since at least 2017, compromising organizations by exploiting vulnerabilities in unpatched internet-facing servers.…

Read More

We examine the campaigns of the cyberespionage group known as Turla over the years, with a special focus on the key MITRE techniques and the corresponding IDs associated with the threat actor group.

In this blog entry, we examine the campaigns of the cyberespionage group known as Turla over the years, with a special focus on the key MITRE techniques and the corresponding IDs associated with the threat actor group.…

Read More
Introduction

Check Point Research recently discovered an active campaign operating and deploying a new variant of the BBTok banker in Latin America. In the research, we highlight newly discovered infection chains that use a unique combination of Living off the Land Binaries (LOLBins). This resulting in low detection rates, even though BBTok banker operates at least since 2020.…

Read More
Introduction

In a recent disturbing development, software advertised as legitimate has become the weapon of choice for cybercriminals. Two notable examples of this behavior are the Remcos RAT (remote administration tool) and GuLoader (also known as CloudEyE Protector).

These programs, which are positioned as legitimate tools, are constantly used in attacks and occupy top positions in the most prevalent malware rankings.…

Read More
Introduction to SmokeLoader’s Plugins

SmokeLoader is a well-known malware family that has been around for more than 10 years. Its main purpose is to download and drop other malware families. However, SmokeLoader’s operators also sell plugins that add capabilities to the main module. Those plugins allow an affiliate to collect browser data from infected computers, as well as emails, cookies, passwords, and much more.…

Read More

Summary

BlackBerry has discovered a new campaign we’ve dubbed “Silent Skimmer,” involving a financially motivated threat actor targeting vulnerable online payment businesses in the APAC and NALA regions. The attacker compromises web servers, using vulnerabilities to gain initial access. The final payload deploys payment scraping mechanisms on compromised websites to extract sensitive financial data from users.…

Read More
Executive Summary

eSentire, a top global Managed Detection and Response (MDR) security services provider, intercepted and shut down three separate ransomware attacks launched by affiliates of the notorious, Russia-linked LockBit Ransomware Gang. The FBI estimates that the LockBit operators and their affiliates have collected approximately $91 million since the group’s inception, and that is just U.S.…

Read More
Key TakeawaysCyble Research and Intelligence Labs (CRIL) has observed the usage of an open-source PySilon RAT by multiple threat actors (TAs). The presence of over 300 samples on VirusTotal since June 2023 suggests a significant surge in the PySilon malware’s activity. PySilon RAT was first established in December 2022 as version 1.0 and has since evolved to its current iteration, version 3.6.…
Read More