Tag: COLLECTION

Key takeaways The RUSTBUCKET malware family is in an active development phase, adding built-in persistence and focusing on signature reduction. REF9135 actors are continually shifting their infrastructure to evade detection and response. The DPRK continues financially motivated attacks against cryptocurrency service providers. If you are running Elastic Defend, you are protected from REF9135 Preamble

The Elastic Security Labs team has detected a new variant of the RUSTBUCKET malware, a family that has been previously attributed to the BlueNorOff group by Jamf Threat Labs in April 2023.…

Read More

During the week of February 20, 2023, Sophos X-Ops MDR team received two separate requests for threat hunts related to unusual activity in two customers’ Microsoft 365 (formerly Office 365) environments. This prompted an investigation into sets of Microsoft Graph security events forwarded to Sophos XDR, to identify whether suspicious or malicious activity occurred.…

Read More

MuddyWater, also known as Mango Sandstorm (Mercury), is a cyber espionage group that is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).

Executive summary: Deep Instinct’s Threat Research team has identified a new C2 (command & control) framework The C2 framework is custom made, continuously in development, and has been used by the MuddyWater group since at least 2021 The framework is named PhonyC2 and was used in the attack on the Technion Institute PhonyC2 is currently used in an active PaperCut exploitation campaign by MuddyWater PhonyC2 is similar to MuddyC3, a previous C2 framework created by MuddyWater

MuddyWater is continuously updating the PhonyC2 framework and changing TTPs to avoid detection, as can be seen throughout the blog and in the investigation of the leaked code of PhonyC2.…

Read More
Summary

Zscaler ThreatLabz has discovered a new malware variant, RedEnergy stealer (not to be confused with the australian company Red Energy) that fits into the hybrid Stealer-as-a-Ransomware threat category.  

RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities.The…

Read More

The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. “smishing”) messages that spoofed UPS and other top brands. The missives addressed recipients by name, included details about recent orders, and warned that those orders wouldn’t be shipped unless the customer paid an added delivery fee.…

Read More
1. Overview

RedEyes (also known as APT37, ScarCruft, and Reaper) is a state-sponsored APT group that mainly carries out attacks against individuals such as North Korean defectors, human rights activists, and university professors. Their task is known to be monitoring the lives of specific individuals. In May 2023, AhnLab Security Emergency response Center (ASEC) discovered the RedEyes group distributing and using an Infostealer with wiretapping features that was previously unknown along with a backdoor developed using GoLang that exploits the Ably platform.* ABLY…

Read More

By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov

June 21, 2023

TL;DR

MULTI#STORM, an interesting attack campaign involving Python-based loader malware was recently seen being used to deliver Warzone RAT infections using phishing emails.

An interesting phishing campaign was recently analyzed by the Securonix Threat Research Team.…

Read More

Since November 2022, the eSentire Threat Response Unit (TRU) has observed the resurgence of what we believe to be a malicious campaign targeting the manufacturing, commercial, and healthcare organizations. The campaign is similar to the one reported by Trend Micro researchers in December 2020. The campaign is believed to be conducted by native Russian speaking threat actor(s).…

Read More
Key Points Mystic Stealer is a new information stealer that was first advertised in April 2023 Mystic steals credentials from nearly 40 web browsers and more than 70 browser extensions The malware also targets cryptocurrency wallets, Steam, and Telegram The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants Mystic implements a custom binary protocol that is encrypted with RC4

How do you know when something is in hot demand in the underground economy?…

Read More

On May 23, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in-the-wild as early as October 2022 and that they engaged Mandiant to assist in the investigation. Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning a multitude of regions and sectors.…

Read More
Fake VPN Sites Distributing Various Malware Strains

Threat Actors (TAs) commonly employ fake phishing websites as their preferred method for distributing malware. This is due to the ease of luring victims into clicking on links contained in phishing emails or sms. TAs often use brand impersonation in their phishing campaigns to deceive users effectively, creating an illusion of trustworthiness and legitimacy to trick unsuspecting individuals.…

Read More

Since December 2022, the eSentire Threat Response Unit (TRU) has observed Aurora Stealer malware infections in the manufacturing industry. It’s distributed via fake Google Ads for Notepad++ installer. Aurora Stealer gathers sensitive data, including cookies, autofill information, and encrypted passwords from browsers such as Opera, Brave, Mozilla Firefox, Chrome, etc.…

Read More
Executive Summary

The Cortex Threat Research team has recently identified multiple espionage attacks targeting governmental entities in the Middle East and Africa. According to our findings, the main goal of the attacks was to obtain highly confidential and sensitive information, specifically related to politicians, military activities, and ministries of foreign affairs.…

Read More

As Russia’s invasion of Ukraine continues into its second year and Microsoft continues to collaborate with global partners in response, the exposure of destructive cyber capabilities and information operations provide greater clarity into the tools and techniques used by Russian state-sponsored threat actors. Throughout the conflict, Russian threat actors have deployed a variety of destructive capabilities with varying levels of sophistication and impact, which showcase how malicious actors rapidly implement novel techniques during a hybrid war, along with the practical limitations of executing destructive campaigns when significant operational errors are made and the security community rallies around defense.…

Read More
Key takeaways The REF2754 intrusion set leverages multiple PE loaders, backdoors, and PowerShell runners SPECTRALVIPER is a heavily obfuscated, previously undisclosed, x64 backdoor that brings PE loading and injection, file upload and download, file and directory manipulation, and token impersonation capabilities We are attributing REF2754 to a Vietnamese-based intrusion set and aligning with the Canvas Cyclone/APT32/OceanLotus threat actor Preamble

Elastic Security Labs has been tracking an intrusion set targeting large Vietnamese public companies for several months, REF2754.…

Read More