Threat Actor Leveraging Microsoft OneNote To infect Users

Threat Actors (TAs) continuously adopt new tactics for infecting users for several reasons, including avoiding detection by anti-virus solutions, increasing the likelihood of successful infections, and seeking the challenge of creating new methods of infecting victims.

Recently, several malware families have been spotted using OneNote attachments in their spam campaigns.…

Read More

February 01, 2023

Tommy Madjar, Corsin Camichel, Joe Wise, Selena Larson and Chris Talib

Key Findings: The use of Microsoft OneNote documents to deliver malware via email is increasing. Multiple cybercriminal threat actors are using OneNote documents to deliver malware. While some campaigns are targeted at specific industries, most are broadly targeted and include thousands of messages.…
Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Unit 42 researchers review tens of millions of attack records every month, and most months, attacks targeting a single vulnerability do not exceed 10% of the total number of attacks. However, we discovered that between August and October 2022, the number of attacks attempting to exploit a Realtek Jungle SDK remote code execution vulnerability (CVE-2021-35394) accounted for more than 40% of the total number of attacks.…

Read More

GuLoader is an advanced shellcode downloader infamous for using anti-analysis tricks to evade detection and obstruct reverse engineering. As of this writing, the GuLoader campaign is aggressively ongoing. Trellix’s customers in the e-commerce industry located in South Korea and the United States were heavily targeted by the GuLoader operators.…

Read More

Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.

Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.…

Read More

By Aleksandar Milenkoski, Joey Chen, and Amitai Ben Shushan Ehrlich

Executive Summary SentinelLabs tracks a cluster of recent opportunistic attacks against organizations in East Asia as DragonSpark. SentinelLabs assesses it is highly likely that a Chinese-speaking actor is behind the DragonSpark attacks. The attacks provide evidence that Chinese-speaking threat actors are adopting the little known open source tool SparkRAT.…
Read More

Over the past few weeks, the Huntress team has been tracking the recent conversations surrounding supposed ConnectWise Control vulnerabilities and alleged in-the-wild exploitation.

We have been in contact with both the ConnectWise CISO and security team, as well as the security researcher reporting on this. While there has since been some chatter and news articles, we would like to use this article to share our own perspective.…

Read More

At the end of November 2022, experts from Bitdefender Labs started to notice an increase in attacks using ProxyNotShell/OWASSRF exploits chains to target on-premises Microsoft Exchange deployments. SSRF attacks on Microsoft Exchange servers are some of the most popular and routinely exploited vulnerabilities. We decided to release a technical advisory describing these attacks, but also documenting some of the recent attacks that we’ve detected in the wild. …

Read More

We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader).

We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events (This is the intrusion set we track behind the creation of Batloader).…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Playful Taurus, also known as APT15, BackdoorDiplomacy, Vixen Panda, KeChang and NICKEL, is a Chinese advanced persistent threat group that routinely conducts cyber espionage campaigns. The group has been active since at least 2010 and has historically targeted government and diplomatic entities across North and South America, Africa and the Middle East.…

Read More

On January 4, 2023, we alerted customers to a security incident. Today, we want to share with you what happened, what we’ve learned, and what our plans are to continuously improve our security posture for the future.

We would like to thank our customers for your attention to rotating and revoking secrets, and apologize for any disruption this incident may have caused to your work.…

Read More

We discovered an active campaign ongoing since at least mid-2022 which uses Middle Eastern geopolitical-themed lures to distribute NjRAT (also known as Bladabindi) to infect victims across the Middle East and North Africa.

While threat hunting, we found an active campaign using Middle Eastern geopolitical themes as a lure to target potential victims in the Middle East and Africa.…

Read More