Contents1. Past attack cases…. 1.1. Cases of Innorix Agent abuse…….. 1.1.1. NukeSped variant – Volgmer…….. 1.1.2. Andardoor…….. 1.1.3. 1th Troy Reverse Shell…. 1.2. Cases of attacks against Korean corporations…….. 1.2.1. TigerRat…….. 1.2.2. Black RAT…….. 1.2.3. NukeSped variants2. Cases of recent attacks…. 2.1. Cases of Innorix Agent abuse……..…
Read More Tag: COLLECTION
Artificial intelligence (AI) and large language models (LLMs) can help threat intelligence teams to detect and understand novel threats at scale, reduce burnout-inducing toil, and grow their existing talent by democratizing access to subject matter expertise. However, broad access to foundational Open Source Intelligence (OSINT) data and AI/ML technologies has quickly led to an overwhelming amount of noise for users to sift through.…
Analysis and Report by Fabian Marquardt (@marqufabi)
Recently, Telekom Security CTI was made aware via trust groups in which we are engaged about a new malware campaign that is distributed via phishing emails. The malspam campaign used stolen email threads to lure victim users into clicking the contained hyperlink, which downloaded the malware.…
Introduction
Read More Agniane Stealer fraudulently takes credentials, system information, and session details from browsers, tokens, and file transferring tools. Agniane Stealer also heavily targets cryptocurrency extensions and wallets. Once it obtains the sensitive data, Agniane Stealer transfers that stolen data to command-and-control [C&C] servers, where threat actors can act upon the stolen information. …
By Trellix · August 17, 2023 This story was also written by Phelix Oluoch
Executive SummaryScattered Spider, also referred to as UNC3944, Scatter Swine, and Muddled Libra, is a financially motivated threat actor group that has been active since May 2022. Scattered Spider has largely been observed targeting telecommunications and Business Process Outsourcing (BPO) organizations.…
Summary
Microsoft has identified a nation-state activity group tracked as Flax Typhoon, based in China, that is targeting dozens of organizations in Taiwan with the likely intention of performing espionage. Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks.…
Published On : 2023-08-23
EXECUTIVE SUMMARYAt Cyfirma, we are dedicated to providing you with up-to-date information on the most prevalent threats and tactics used by malicious actors to target both organizations and individuals. In this comprehensive analysis, we delve into an ongoing campaign orchestrated by the Remcos Remote Access Trojan (RAT).…
Multiple New Campaigns in 2023 Demonstrate The Malware Family Has Been Redeveloped to Remain a Popular And Prominent Threat
Read More EclecticIQ analysts observe the malware family targeting financial information to be used for immediate gain as well as reconnaissance functions to perform initial information gathering and establish persistence.…
Executive Summary
Read More In March 2023, Lumen Black Lotus Labs reported on a complex campaign called “HiatusRAT” that infected over 100 edge networking devices globally. The campaign leveraged edge routers, or “living on the edge” access, to passively collect traffic and functioned as a covert network of command and control (C2) infrastructure. …
By Aleksandar Milenkoski and Tom Hegel
Executive SummarySentinelLabs has identified suspected-Chinese malware and infrastructure potentially involved in China-associated operations directed at the gambling sector within Southeast Asia. The threat actors drop Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking to deploy Cobalt Strike beacons.…
Recent postsHomeMalware Analysis
XWorm: Technical Analysis of a New Malware Version
Read More In this article, we will take a look at the latest version of an XWorm sample — a widespread malicious program that is advertised for sale on underground forums.
We will analyze the functionality of our sample, as well as extract its configuration. …
In this blogpost, ESET researchers take a look at Spacecolon, a small toolset used to deploy variants of the Scarab ransomware to victims all over the world. It probably finds its way into victim organizations by its operators compromising vulnerable web servers or via brute forcing RDP credentials.…
ESET Research
ESET researchers have observed a new phishing campaign targeting users of the Zimbra Collaboration email server.
Viktor Šperka
17 Aug 2023 • , 5 min. read
ESET researchers have uncovered a mass-spreading phishing campaign, aimed at collecting Zimbra account users’ credentials, active since at least April 2023 and still ongoing.…
Key TakeawaysThe blog delves into a new infection approach to disseminating the SectopRAT final payload.
Providing insight into LummaC stealer and its method of procuring the Amadey bot malware.
The Amadey bot replicates itself to ensure persistence, generating an LNK file within the startup folder directory.…
Read More Published On : 2023-08-11
EXECUTIVE SUMMARYThe Cyfirma Research team has recently discovered a disguised Stealthy MSI Loader being advertised in underground forums by Russian threat actor, showcasing its remarkable ability to evade detection by both Virus Total scan and Windows Defender. Additionally, through our investigation, we have established a link between this MSI Loader and the BatLoader campaign observed in March 2023, highlighting potential coordination between these threats.…
By Tom Hegel and Aleksandar Milenkoski
Executive SummarySentinelLabs identified an intrusion into the Russian defense industrial base, specifically a missile engineering organization NPO Mashinostroyeniya.Our findings identify two instances of North Korea related compromise of sensitive internal IT infrastructure within this same Russian DIB organization, including a specific email server, alongside use of a Windows backdoor dubbed OpenCarrot.…Affected platforms: WindowsImpacted parties: Any organizationImpact: Controls victim’s device and collects sensitive informationSeverity level: Critical
FortiGuard Labs recently detected a new injector written in Rust—one of the fastest-growing programming languages—to inject shellcode and introduce XWorm into a victim’s environment. While Rust is relatively uncommon in malware development, several campaigns have adopted this language since 2019, including Buer loader, Hive, and RansomExx.…
This is the third part of our research based on an investigation of a series of attacks against industrial organizations in Eastern Europe.
The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems.
In total we have identified over 15 implants and their variants planted by the threat actor(s) in various combinations.…
Key Takeaways
Read More • The blog highlights a new infection technique for distributing STRRAT version 1.6. It involves a spam email with a PDF attachment that, when opened, downloads a zip file containing the malicious JavaScript, which drops STRRAT.• STRRAT version 1.6 employs two string obfuscation techniques: “Zelix KlassMaster (ZKM)” and “Allatori”, making it more challenging for security researchers to analyze and detect the malware.•…
Executive Summary
Read More EclecticIQ analysts assess with high confidence that two observed PDF documents are part of an ongoing campaign targeting Ministries of Foreign Affairs of NATO aligned countries. The PDF files masquerade as coming from the German embassy and contained two diplomatic invitation lures.
One of the PDFs delivered a variant of Duke – a malware that has been linked to Russian state-sponsored cyber espionage activities of APT29.…