The realm of cybersecurity is becoming more and more chaotic with each passing day, and there will always be a new actor entering the world of cybersecurity. The Dark Pink APT Group is one such entity that has recently caught the attention of security researchers and organizations worldwide.…
Tag: BROWSER
Key TakeawaysCyble Research and Intelligence Labs (CRIL) encountered a RAR archive file that could propagate through adult websites or fake adult sites, etc.
In this malware campaign, Threat Actors (TAs) exploit a vulnerability in WinRAR (CVE-2023-38831) to distribute their malicious payloads onto the systems of their victims.…
Read More
Introduction
Read More As long as cybercriminals want to make money, they’ll keep making malware, and as long as they keep making malware, we’ll keep analyzing it, publishing reports and providing protection. Last month we covered a wide range of cybercrime topics. For example, we published a private report on a new malware found on underground forums that we call ASMCrypt (related to the DoubleFinger loader).…
What Happened?
In July 2023, our scanners detected nontypical commits to hundreds of GitHub repositories appear to be contributed by Dependabot and carrying malicious code. Those commit messages were fabricated by threat actors to appear as a Dependabot automated contribution in the commit history, an attempt to disguise the malicious activity After reaching out and talking to some of the victims who got compromised, we can confirm that the victims’ GitHub personal access token was stolen and used by the attackers to contribute those malicious code contributions. …Published On : 2023-09-29
EXECUTIVE SUMMARYAt CYFIRMA, our commitment is to furnish you with the latest insights into prevalent threats and strategies employed by malicious actors, aiming at both organizations and individuals. This report provides a comprehensive analysis of “The-Murk-Stealer;” an open-source stealer, shedding light on its functionalities and capabilities.…
This post is also available in: 日本語 (Japanese)
Executive SummaryThe CL0P ransomware group recently began using torrents to distribute victim data after a successful campaign stealing data from thousands of companies. We’ll cover the reason for this shift in methodology and what this means for visibility to the outside world.…
Key takeawaysCyble Research and Intelligence Labs (CRIL) recently came across a new stealer called “Exela”.
Exela is a Python-based open-source stealer that steals a wide range of sensitive information from compromised systems.
It features an extensive array of anti-debugging and anti-virtual machine (VM) techniques, making it a potent tool for Threat Actors (TAs).…
Read More Volexity has identified several long-running and currently active campaigns undertaken by the threat actor Volexity tracks as EvilBamboo (formerly named Evil Eye) targeting Tibetan, Uyghur, and Taiwanese individuals and organizations. These targets represent three of the Five Poisonous Groups of Chinese Communist Party (CCP).
Volexity has tracked the activities of EvilBamboo for more than five years and continues to observe new campaigns from this threat actor.…
SUMMARY
Read More Secureworks® Counter Threat Unit™ (CTU) analysis indicates that the GOLD MELODY threat group acts as an initial access broker (IAB) that sells access to compromised organizations for other cybercriminals to exploit. This financially motivated group has been active since at least 2017, compromising organizations by exploiting vulnerabilities in unpatched internet-facing servers.…
Key Takeaways Proofpoint identified a new malware called ZenRAT being distributed via fake installation packages of the password manager Bitwarden.
The malware is specifically targeting Windows users and will redirect people using other hosts to a benign webpage.
At this time, it is unknown how the malware is being distributed. …
Read More This post is also available in: 日本語 (Japanese)
Executive SummaryWe observed a series of intrusions directed at a Southeast Asian government target, a cluster of activity that we attribute with a moderate level of confidence to Alloy Taurus, a group believed to be operating on behalf of Chinese state interests.…
In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, such as Cobalt Strike or Metasploit, the graphical user interface provided by RMMs are more user friendly.…
We examine the campaigns of the cyberespionage group known as Turla over the years, with a special focus on the key MITRE techniques and the corresponding IDs associated with the threat actor group.
In this blog entry, we examine the campaigns of the cyberespionage group known as Turla over the years, with a special focus on the key MITRE techniques and the corresponding IDs associated with the threat actor group.…
Introduction
Read More Check Point Research recently discovered an active campaign operating and deploying a new variant of the BBTok banker in Latin America. In the research, we highlight newly discovered infection chains that use a unique combination of Living off the Land Binaries (LOLBins). This resulting in low detection rates, even though BBTok banker operates at least since 2020.…
Introduction
Read More In a recent disturbing development, software advertised as legitimate has become the weapon of choice for cybercriminals. Two notable examples of this behavior are the Remcos RAT (remote administration tool) and GuLoader (also known as CloudEyE Protector).
These programs, which are positioned as legitimate tools, are constantly used in attacks and occupy top positions in the most prevalent malware rankings.…
Introduction to SmokeLoader’s Plugins
Read More SmokeLoader is a well-known malware family that has been around for more than 10 years. Its main purpose is to download and drop other malware families. However, SmokeLoader’s operators also sell plugins that add capabilities to the main module. Those plugins allow an affiliate to collect browser data from infected computers, as well as emails, cookies, passwords, and much more.…
In this blog, we investigate how threat actors used information-stealing malware with EV code signing certificates and later delivered ransomware payloads to its victims via the same delivery method.
We have been observing malware families RedLine and Vidar since the middle of 2022, when both were used by threat actors to target victims via spear-phishing scams.…
Summary
BlackBerry has discovered a new campaign we’ve dubbed “Silent Skimmer,” involving a financially motivated threat actor targeting vulnerable online payment businesses in the APAC and NALA regions. The attacker compromises web servers, using vulnerabilities to gain initial access. The final payload deploys payment scraping mechanisms on compromised websites to extract sensitive financial data from users.…
Executive Summary
Read More eSentire, a top global Managed Detection and Response (MDR) security services provider, intercepted and shut down three separate ransomware attacks launched by affiliates of the notorious, Russia-linked LockBit Ransomware Gang. The FBI estimates that the LockBit operators and their affiliates have collected approximately $91 million since the group’s inception, and that is just U.S.…
Key TakeawaysCyble Research and Intelligence Labs (CRIL) has observed the usage of an open-source PySilon RAT by multiple threat actors (TAs).
The presence of over 300 samples on VirusTotal since June 2023 suggests a significant surge in the PySilon malware’s activity.
PySilon RAT was first established in December 2022 as version 1.0 and has since evolved to its current iteration, version 3.6.…
Read More