@tas_kmanager), in collaboration with Curated Intelligence, shared his research on the newly observed method of phishing utilizing chat functionality in multiple web/mobile applications. Furthermore, he is able to link this campaign to other similar campaigns based on the shared TTPs and IoCs.

Figure 1– The Chat Message

The message itself came from the official account of the hotel merchant, Tas has contacted them before via this method to inquiry information about the hotel room.…

Read More
Key TakeawaysTrickMo Banking Trojan, initially identified in September 2019, showed a malware employs an Overlay attack as the main method to harvest credentials from target applications.Overview

The TrickMo Banking Trojan was identified in September 2019 and was disseminated through the TrickBot malware. In March 2020, IBM researchers analyzed a newly discovered Android Banking Trojan known as “TrickMo.”…

Read More
Recent postsHomeMalware Analysis RisePro Malware Analysis: Exploring C2 Communication of a New Version

RisePro is a malware-as-a-service info-stealer, first identified in 2022. Recently, we’ve detected a spike in it’s activity and decided to conduct an investigation, which led to interesting findings. 

RisePro is a well-documented malware, but we quickly realized that the network traffic patterns of our samples did not match the existing literature.…

Read More
Table of Contents

During a recent hunt, Qualys Threat Research has come across a ransomware family known as Phobos, impersonating VX-Underground. Phobos ransomware has been knocking on our door since early 2019 and is often seen being distributed via stolen Remote Desktop Protocol (RDP) connections. Strongly believed to be closely tied to the preceding Dharma malware, Phobos usually operates as a Ransomware-as-a-Service (RaaS) threat model.…

Read More

[Update] February 01, 2024: U.S. Government Actions Against Volt Typhoon

As cyber currents ebb and flow, a storm named Volt Typhoon surges from the digital depths. This isn’t your typical tempest from the sea but a state-sponsored maelstrom with a tendency for espionage. Volt Typhoon, believed to be backed by the Chinese government, stands out for its sophisticated tactics and high-profile targets.…

Read More

Authors: Shilpesh Trivedi and Nisarga C M

In April 2023, the cybersecurity community faced a significant challenge with the discovery of CVE-2023-38831, a vulnerability affecting versions of WinRAR prior to 6.23. This security flaw has become a critical concern due to its exploitation by various advanced persistent threat (APT) groups, who have used it to gain control of victim systems through deceptive methods.…

Read More
Cisco Talos recently identified the most prolific Phobos variants, common affiliate tactics, techniques and procedures (TTPs), and characteristics of the Phobos affiliate structure, based on observed Phobos activity and analysis of over 1,000 Phobos samples from VirusTotal dating back to 2019. We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common Phobos variants, as they appeared most frequently across the samples we analyzed. …
Read More
SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…

Read More
Dark Pink TTPs Dark Pink Toolset

Dark Pink employs a variety of tools and custom-built malicious software designed for data theft and espionage. Their specialized toolkit comprises:

Cucky: A straightforward custom information stealer coded in .NET. It is proficient in extracting passwords, browsing history, login credentials, and cookies from a range of web browsers targeted by the group.…
Read More
Key takeaways From July through October 2023, Proofpoint researchers observed TA402 engage in phishing campaigns that delivered a new initial access downloader dubbed IronWind. The downloader was followed by additional stages that consisted of downloaded shellcode.   During the same period, TA402 adjusted its delivery methods, moving from using Dropbox links to using XLL and RAR file attachments, likely to evade detection efforts.  …
Read More
Unveiling the Dark Side: A Deep Dive into Active Ransomware Families  Author: Molly Dewis  Intro 

Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements.   

In case you missed it, our last post analysed an Incident Response engagement involving the D0nut extortion group.…

Read More
Overview

In 2022, NSFOCUS Research Labs revealed a large-scale APT attack campaign called DarkCasino and identified an active and dangerous aggressive threat actor. By continuously tracking and in-depth study of the attacker’s activities, NSFOCUS Research Labs has ruled out its link with known APT groups, confirmed its high-level persistent threat nature, and following the operational name, named this APT group DarkCasino.…

Read More