In late January 2022, ThreatLabz identified an updated version of Conti ransomware as part of the global ransomware tracking efforts. This update was released prior to the massive leak of Conti source code and chat logs on Februrary 27, 2022. The leaks were published by a Ukrainian researcher after the invasion of Ukraine.…
Tag: BROWSER
Since the beginning of this year, Avast has protected more than 2,000 customers from this password stealer.
Avast researchers have found password stealer malware, disguised as a private Fortnite server, where users can meet for a private match, and use skins for free. The malware is being heavily propagated on communications platform Discord.…
The DirtyMoe malware is deployed using various kits like PurpleFox or injected installers of Telegram Messenger that require user interaction. Complementary to this deployment, one of the DirtyMoe modules expands the malware using worm-like techniques that require no user interaction.
This research analyzes this worming module’s kill chain and the procedures used to launch/control the module through the DirtyMoe service.…
Pandora ransomware came into the spotlight in March 2022 after targeting some high-profile victims on its leak site. The ransomware group announced its first victim on 21 Feb 2022 and has posted around five victims to date.
Figure 1: Pandora ransomware data leak siteDuring a routine threat hunting exercise, Cyble Research Labs came across the sample for this ransomware.…
Over recent months, the CrowdStrike Falcon® OverWatch™ team has tracked an ongoing, widespread intrusion campaign leveraging bundled .msi installers to trick victims into downloading malicious payloads alongside legitimate software. These payloads and scripts were used to perform reconnaissance and ultimately download and execute NIGHT SPIDER’s Zloader trojan, as detailed in CrowdStrike CROWDSTRIKE FALCON® INTELLIGENCE™ Premium reporting.…
CryptBot is back. A new and improved version of the malicious infostealer has been unleashed via compromised pirate sites, which appear to offer “cracked” versions of popular software and video games.
Making news most recently for an outbreak in early 2022, the malware first appeared in the wild in 2019, and it is now actively changing its attack and distribution methods.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
The emails can be jarring, but the technique used by Qakbot (aka Qbot) seems to be especially convincing: The email-borne malware has a tendency to spread itself around by inserting malicious replies into the middle of existing email conversations, using the compromised accounts of other infection victims.…
In July of 2021, we identified an infection campaign targeting important European entities. During this investigation we could identify the threat actor behind these attacks as LazyScripter, an emerging APT group pointed by MalwareBytes in February 2021.
Through our analysis, we could track their activity with precise dates in 2021 based on their samples.…
We recently came across a stealer, called Raccoon Stealer, a name given to it by its author. Raccoon Stealer uses the Telegram infrastructure to store and update actual C&C addresses.
Raccoon Stealer is a password stealer capable of stealing not just passwords, but various types of data, including:
Cookies, saved logins and forms data from browsers Login credentials from email clients and messengers Files from crypto wallets Data from browser plugins and extension Arbitrary files based on commands from C&CIn addition, it’s able to download and execute arbitrary files by command from its C&C.…
CryptBot is an infostealer that is usually distributed under the disguise of web pages that share cracks and tools. The distribution pages are exposed at the top of the search result page of search engines such as Google, so the risk of infection is high, and the number of relevant detection cases is also relatively high.…
Summary
Read More
The criminal group behind the Arkei information stealer appears to be interested in more than just picking our pockets. While cryptocurrency remains a primary target for the malware, which has recently been tied to use of the stealthy SmokeLoader downloader, a new analysis of Arkei shows that it has now expanded its reach to collect multifactor (MFA) authentication data as well.…
Over the past year, FortiEDR has prevented multiple attacks that attempted to exploit various Microsoft Exchange server vulnerabilities, some of which we have previously covered.
Among these attacks, we identified a campaign operated by Moses Staff, a geo-political motivated threat group believed to be sponsored by the Iranian government.…
Summary
Read More
The ShadowPad advanced modular remote access trojan (RAT) has been deployed by the Chinese government-sponsored BRONZE ATLAS threat group since at least 2017. A growing list of other Chinese threat groups have deployed it globally since 2019 in attacks against organizations in various industry verticals.…
Research by: Aliaksandr Trafimchuk, Raman Ladutska
This research comes as a follow-up to our previous article on Trickbot, “When Old Friends Meet Again: Why Emotet Chose Trickbot For Rebirth” where we provided an overview of the Trickbot infrastructure after its takedown. Check Point Research (CPR) now sheds some light on the technical details of key Trickbot modules.…
Over the past seven months, SophosLabs has monitored a series of new efforts to distribute SolarMarker, an information stealer and backdoor (also known as Jupyter or Polazert). First detected in 2020, the .NET malware usually delivered by a PowerShell installer has information harvesting and backdoor capabilities.…
These websites host Smokeloader payloads as part of three categories named “pab1”, “pab2” and “pab3”. These are not necessarily linked to the analogous “pub*” affiliate IDs, since we have seen some “pab2” payloads with the “555” affiliate ID. While tracking PrivateLoader, we only received links to download the “pab2” payloads from these websites.…
Qbot (aka QakBot, Quakbot, Pinkslipbot ) has been around for a long time having first been observed back in 2007. More info on Qbot can be found at the following links: Microsoft & Red Canary
In this case, from October 2021, we will break down how Qbot quickly spread across all workstations in an environment, while stealing browser information and emails.…
February 3, 2022
[UPDATE] On February 4, 2022, Zimbra provided an update regarding this zero-day exploit vulnerability and reported that a hotfix for 8.8.15 P30 would be available on February 5, 2022. This vulnerability was later assigned CVE-2022-24682 and was fixed in version 8.8.15P30 Update 2 of Zimbra Collaboration Suite.…
Analysis of a new malware called Mars Stealer, which is a further development of Oski Stealer.
It has been noticed that Oski support stopped answering its customers and deleted its telegram account and bot around July 2, 2020. This disappearance has raised eyebrows, as major projects like KPOT Stealer and Predator The Thief don’t usually just go away.…