Figure 1 (image from freepik.com and flaticon.com)

The current economic climate globally is grim because of the ongoing recession. In this environment, job-themed emails have become a prime target for cybercriminals looking to exploit vulnerable individuals.

Trellix Advanced Research Center has observed cybercriminals using phishing and malware campaigns to target job seekers in a bid to steal sensitive information.…

Read More

SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft | Sysdig

Show Table of Contents + Hide −

The Sysdig Threat Research Team recently discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials.…

Read More

Find out how the Managed XDR team uncovered RedLine Stealer’s evasive spear-phishing campaign that targets the hospitality industry.

Recently, we noticed a spike in the number of emails received by one of our customers. After further investigation, we found that three other customers in the hospitality industry were also affected.…

Read More
Introduction

Attackers are increasingly using OneNote documents to distribute malware, due to the heightened security measures against macro-based attacks and the widespread adoption and popularity of the platform. Analyzing several related case studies, this article showcases the obfuscation techniques used by threat actors to bypass threat detection measures and deceive users into executing malware on their systems via OneNote.…

Read More
Introduction

Zscaler ThreatLabz researchers observed multiple threat campaigns utilizing the Snip3 crypter, a multi-stage remote access trojan (RAT) loader with new TTPs and available since 2021 as a crypter-as-a-service offering.

The Snip3 Crypter service uses advanced evasion, obfuscation, and reflective code loading techniques in its multi-stage infection chain, along with new Tactics, Techniques, and Procedures (TTPs).…

Read More
Key Takeaways TA569 leverages many types of injections, traffic distribution systems (TDS), and payloads including, but not limited to, SocGholish. In addition to serving as an initial access broker, these additional injects imply TA569 may be running a pay-per-install (PPI) service TA569 may remove injections from compromised websites only to later re-add them to the same websites.…
Read More

Trend Micro’s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used to sideload a malicious DLL we identified as a variant of PlugX.

Introduction

Trend Micro’s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used (via the DLL Search Order Hijacking or T1574.001 technique) to sideload a malicious DLL we identified as a variant of PlugX (Trojan.Win32.KORPLUG.AJ.enc).…

Read More

8220 Gang is a low-skill crimeware actor known for infecting cloud hosts through n-day vulnerabilities and remote access brute forcing. We have previously detailed how 8220 expanded its botnet and rotated its infrastructure. Since our last write up in October, the group has again switched to new infrastructure and samples, providing us with an opportunity to share an educational walkthrough of the process of investigating cybercrime activity that may be useful to new or lesser experienced SOC teams, analysts and researchers.…

Read More

By Aleksandar Milenkoski, Collin Farr, and Joey Chen, in collaboration with QGroup

Executive Summary A new threat cluster we track as WIP26 has been targeting telecommunication providers in the Middle East. We assess it is likely that WIP26 is espionage-related. WIP26 relies heavily on public Cloud infrastructure in an attempt to evade detection by making malicious traffic look legitimate.…
Read More

Executive Summary

On February 3, European hosting providers and computer emergency response teams (CERTs) began warning of a widespread ransomware campaign exploiting CVE-2021-21974, a VMWare ESXi vulnerability for which a patch has been available since February 2021.

Shortly after the warnings’ publication, SecurityScorecard developed an emergency informational signal to give customers visibility into potentially impacted servers.…

Read More

Figure 1: Global Telemetry from Trellix ATLAS for Ips connecting to port 427

Introduction:

Early this week, VMware issued a publication regarding a massive global ransomware campaign targeting “End of General Support (EOGS) and/or significantly out-of-date ESXi products.”…

Read More
Introduction

Zscaler ThreatLabz research team observed a new campaign targeting a Government organization in which the threat actors utilized a new Command & Control (C2) framework named Havoc. While C2 frameworks are prolific, the open-source Havoc framework is an advanced post-exploitation command and control framework capable of bypassing the most current and updated version of Windows 11 defender due to the implementation of advanced evasion techniques such as indirect syscalls and sleep obfuscation.…

Read More

Advertising is an integral part of the modern digital economy, providing businesses with the opportunity to reach a large and diverse audience. However, malicious actors are taking advantage of the ubiquity of online advertising to spread malware, phishing scams, and other forms of malicious content. In recent weeks, Google Ads, one of the largest online advertising platforms, has become a popular target for these types of attacks.…

Read More
Executive Summary SentinelLabs has observed the first Linux variant of Cl0p ransomware. The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom. SentinelLabs has published a free decryptor for this variant here. Background

SentinelLabs observed the first ELF variant of Cl0p (also known as Clop) ransomware variant targeting Linux systems on the 26th of December 2022.…

Read More