Sygnia recently investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs. Further analysis revealed that Cheerscrypt and Night Sky are both rebrands of the same threat group, dubbed ‘Emperor Dragonfly’ by Sygnia.
‘Emperor Dragonfly’ (A.K.A. DEV-0401 / BRONZE STARLIGHT) deployed open-source tools that were written by Chinese developers for Chinese users.…
This is the third blog post in a four-part series. Read Part 1 | Part 2 | Part 4.
In Part 1 of this four-part blog series examining wiper malware, the CrowdStrike Endpoint Protection Content Research Team introduced the topic of wipers, reviewed their recent history and presented common adversary techniques that leverage wipers to destroy system data.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 recently observed a polyglot Microsoft Compiled HTML Help (CHM) file being employed in the infection process used by the information stealer IcedID. We will show how to analyze the polyglot CHM file and the final payload so you can understand how the sample evades detection.…
Zscaler ThreatLabz has observed a campaign that delivers Agent Tesla, a .NET based keylogger and remote access trojan (RAT) active since 2014, using a builder named “Quantum Builder” sold on the dark web. This campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to similar attacks in the past. …
NullMixer is a dropper leading to an infection chain of a wide variety of malware families. NullMixer spreads via malicious websites that can be found mainly via search engines. These websites are often related to crack, keygen and activators for downloading software illegally, and while they may pretend to be legitimate software, they actually contain a malware dropper.…
Broadcom Software, tracks as Coreid (aka FIN7, Carbon Spider). Darkside was used in the Colonial Pipeline ransomware attack in May 2021. The extreme amount of public and law enforcement attention that attack attracted led Coreid to shut down Darkside and replace it with BlackMatter. Coreid runs a ransomware-as-a-service (RaaS) operation, which means it develops the ransomware but it is deployed by affiliates for a cut of the profits.…
This post is also available in: 日本語 (Japanese)
Executive SummaryCybercriminals compromise domain names to attack the owners or users of the domains directly, or use them for various nefarious endeavors, including phishing, malware distribution, and command and control (C2) operations. A special case of DNS hijacking is called domain shadowing, where attackers stealthily create malicious subdomains under compromised domain names.…
The threat actor using Crytox ransomware has been active since at least 2020, but has received significantly less attention than many other ransomware families.…
Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.
We observed the active exploitation of CVE-2022-26134, an unauthenticated remote code execution (RCE) vulnerability with a critical rating of 9.8 in the collaboration tool Atlassian Confluence.…
In July 2022, during proactive threat hunting activities at a company in the media industry, Mandiant Managed Defense identified a novel spear phish methodology employed by the threat cluster tracked as UNC4034. Mandiant has identified several overlaps between this group and those we suspect have a North Korea nexus.…
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within the OSINT community and our datasets. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.…
Over the past week we observed three different attacks on our honeypots. The scripts and malware that were used bear a striking resemblance to none other than the threat actor TeamTNT. Eleven months ago they posted a farewell note on Twitter. Since then, we have only seen legacy attacks which automatically run on past infrastructure.…
On August 9, 2022, we released a blog post about a phishing campaign where attackers were abusing Google Sites and Microsoft Azure Web Apps to steal cryptocurrency wallets and accounts from different targets, namely Coinbase, MetaMask, Kraken, and Gemini. The attackers were abusing SEO techniques to spread the pages and using advanced techniques to steal data, such as using live chats to interact with victims.…
While Google Chrome still dominates as the top browser, Microsoft Edge, which is based on the Chromium source code, is gradually gaining more users. Perhaps more importantly, it is the default browser on the Microsoft Windows platform and as such some segments of its user base are of particular interest to fraudsters.…
Summary
Actions to take today to protect against ransom operations:
• Keep systems and software updated and prioritize remediating known exploited vulnerabilities.• Enforce MFA.• Make offline backups of your data.
This joint Cybersecurity Advisory (CSA) is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), U.S.…
This blog entry details how Trend Micro Cloud One™ – Workload Security and Trend Micro Vision One™ effectively detected and blocked the abuse of the CVE-2020-14882 WebLogic vulnerability in affected endpoints.
We have recently observed malicious actors exploiting both recently disclosed and older Oracle WebLogic Server vulnerabilities to deliver cryptocurrency-mining malware.…
This post is also available in: 日本語 (Japanese)
Executive SummaryOn March 4, 2019, one of the most well-known keyloggers used by criminals, called Agent Tesla, closed up shop due to legal troubles. In the announcement message posted on the Agent Tesla Discord server, the keylogger’s developers suggested people switch over to a new keylogger: “If you want to see a powerful software like Agent Tesla, we would like to suggest you OriginLogger.…
In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet.
The post-exploitation started very soon after the initial compromise. The threat actors began enumerating the network once Emotet deployed a Cobalt Strike beacon on the beachhead host.…
Found in Environments Protected By: Microsoft
By Andy Mann and Dylan Main, Cofense Phishing Defense Center
Analysts at the Cofense Phishing Defense Center (PDC) have recently analyzed an email asking users to download a “Proof of Payment” as well as other documents. While it is important to never click on the link(s) or download the attachment(s) of any suspicious email, if the recipient interacts with the link, it downloaded the malware Lampion.…