The cybersecurity landscape is in a state of flux, marked by flow of illicit activities within hacker forums. Not so recent events surrounding the shutdown and subsequent revival of Breach Forums have brought forth a wave of speculation, with some viewing it as an FBI HoneyPot, while others see it as an opportune space for continued illegal pursuits.…
Tag: COLLECTION
ESET researchers have identified twelve Android espionage apps that share the same malicious code: six were available on Google Play, and six were found on VirusTotal. All the observed applications were advertised as messaging tools apart from one that posed as a news app. In the background, these apps covertly execute remote access trojan (RAT) code called VajraSpy, used for targeted espionage by the Patchwork APT group.…
Mandiant Managed Defense has been tracking UNC4990, an actor who heavily uses USB devices for initial infection. UNC4990 primarily targets users based in Italy and is likely motivated by financial gain. Our research shows this campaign has been ongoing since at least 2020.
Despite relying on the age-old tactic of weaponizing USB drives, UNC4990 continues to evolve their tools, tactics and procedures (TTPs).…
ESET has collaborated with the Federal Police of Brazil in an attempt to disrupt the Grandoreiro botnet. ESET contributed to the project by providing technical analysis, statistical information, and known command and control (C&C) server domain names and IP addresses. Due to a design flaw in Grandoreiro’s network protocol, ESET researchers were also able to get a glimpse into the victimology.…
January 23, 2024
Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel AttacksThe recent ethnic rebel attacks in Myanmar have put the Myanmar junta and surrounding countries on high alert. Since October 2023, a rebel alliance called the Three Brotherhood Alliance (3BHA) has been attacking Myanmar’s military across its northern regions, reportedly seizing its junta outposts and military positions.…
Identifier: TRR240101.
On 2023-12-28, the Ukrainian government computer emergency and incident response team (CERT-UA) described a malicious espionage campaign that targeted government organizations in Ukraine. CERT-UA attributed the campaign to the APT28 threat-actor (aka Sofacy, Fancy Bear, etc.).
The malicious campaign leveraged spear-phishing to trick users into visiting a remote HTML page and opening a Windows shortcut, which in turn enabled the deployment of remote execution tools (MASEPIE, OCEANMAP), a credential stealer (STEELHOOK) as well as publicly available reconnaissance and credentials harvesting tool (Impacket).…
Key TakeawaysIn late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol (RDP) host, leading to data exfiltration and the deployment of Trigona ransomware.
On Christmas Eve, within just three hours of gaining initial access, the threat actors executed ransomware across the entire network.…
Read More [Update] January 30, 2024: “Official Attributions of Star Blizzard”
Within the continuously changing cyber threat landscape, the strategies of Star Blizzard unfold with a calculated precision, resembling a strategic orchestration. Spear-phishing, in this context, mirrors a carefully planned and executed maneuver. This elusive group, exhibiting a level of sophistication comparable to seasoned experts, systematically identifies specific individuals and groups as their targeted audience.…
ESET researchers provide an analysis of an attack carried out by a previously undisclosed China-aligned threat actor we have named Blackwood, and that we believe has been operating since at least 2018. The attackers deliver a sophisticated implant, which we named NSPX30, through adversary-in-the-middle (AitM) attacks hijacking update requests from legitimate software.…
The digital world is constantly under the threat of cyber attacks, and the emergence of new ransomware groups only intensifies this peril. One such group that has recently come into the spotlight is INC Ransom. This group has quickly gained notoriety for its sophisticated attacks and elusive nature.…
Authors: Christopher Kim, Randy McEoin
Executive Summary
Read More While cybercriminals are often portrayed as gangs of hackers or lone brilliant coders, more often they buy and sell goods and services as part of a larger criminal economy. For example, some actors sell malware services, and malware-as-a-service (MaaS) allows buyers easy access to the infrastructure necessary to commit crimes.…
What is Infamous Chisel?
Read More Infamous Chisel is a collection of surveillance tooling used to target Android devices. It was first reported by the Ukrainian Security Service (SBU) in early August 2023 and attributed to Russia’s Sandworm APT. According to the SBU, the main purpose of this toolset was to collect information from Android devices likely connected to Ukrainian military information systems during the Russia-Ukraine war.…
Key TakeawaysCyble Research and Intelligence Labs (CRIL) came across a ZIP archive file that could be downloaded from a URL and possibly disseminated through spam emails. Within the ZIP file lies a shortcut LNK file, cleverly masked as a PDF document.
Upon execution of the shortcut file, it initiates the VPN application, which utilizes DLL sideloading to load a concealed malicious DLL.…
Read More Last updated at Tue, 27 Feb 2024 16:14:43 GMT
Recently, Rapid7 observed a new stealer named Atlantida. The stealer tricks users to download a malicious file from a compromised website, and uses several evasion techniques such as reflective loading and injection before the stealer is loaded.…
AutoIt is a scripting language designed for automating the Windows GUI and general scripting. Over the years, it has been utilized for malicious purposes, including AutoIt-compiled malware, which dates back to as early as 2008.
Malware creators have exploited the versatility of AutoIT in a variety of ways, such as using obfuscated scripts for payload decryption, utilizing legitimate tools like BaSupportVNC, and even creating worms capable of spreading through removable media and Windows shares.…
One hacker collective continues to confound federal law enforcement and cybersecurity experts — the Scattered Spider. Known by a multitude of aliases such as Muddled Libra, UNC3944, Starfraud, and Octo Tempest, this hacking group has not only infiltrated major corporate networks like MGM Resorts and Caesars Entertainment but has done so with a bold audacity that leaves many wondering.…
SUMMARY
Read More The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third party reporting yielded the IOCs and TTPs, and provided information on Androxgh0st malware’s ability to establish a botnet that can further identify and compromise vulnerable networks.…
Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files.…
Recent postsHomeMalware Analysis
A Full Analysis of the Pure Malware Family: Unique and Growing Threat
Read More In this article, we’re analyzing one of the most unusual crypters— PureCrypter, and a multifunctional stealer — PureLogs. We’ll look at several examples and identify patterns among Pure-malware families, and also explain how to detect PureCrypter and PureLogs. …
Executive Summary
Read More Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. Medusa threat actors use this site to disclose sensitive data from victims unwilling to comply with their ransom demands.…