Tag: CRYPTO

Ransomware Uses Multi-Faceted Data Cleaning Tactics to Avoid Recovery

Threat Actors (TAs) have shown increasing interest in utilizing the Go programming language. This can be attributed to its cross-platform capabilities and the added challenge it presents to reverse engineering. Consequently, numerous malware, including ransomware, has been observed that were implemented using the Go language.…

Read More

Affected Platforms: WindowsImpacted Users: Windows usersImpact: Compromised machines are under the control of the threat actor, potentially resulting in stolen personally identifiable information (PII), credential theft, financial loss, etc.Severity Level: Medium

The time has come again for tax returns—and tax-based scams. Targeting calendar-based events enables threat actors to prepare ahead of time and have a new selection of targets on rotation.…

Read More
Executive SummarySentinelLabs has been tracking a cluster of malicious documents that stage Crimson RAT, distributed by APT36 (Transparent Tribe). We assess that this activity is part of the group’s previously reported targeting of the education sector in the Indian subcontinent. We observed APT36 introducing OLE embedding to its typically used techniques for staging malware from lure documents and versioned changes to the implementation of Crimson RAT, indicating the ongoing evolution of APT36’s tactics and malware arsenal.…
Read More

Executive summary

TEHTRIS Threat Hunters analyzed illicit cryptomining activity targeting Linux-based machines. The attack happened on one of our high interaction honeypots hosted in France in mid-January across a short timeframe (less than 5 minutes). Our honeypot was a Linux under Ubuntu 22.04. The cybercriminal group behind this attack employs a strategy to optimize the use of the compromised device’s resources.…

Read More

In this blog post, we’ll provide a detailed analysis of a malicious payload we’ve dubbed “Impala Stealer”, a custom crypto stealer which was used as the payload for the NuGet malicious packages campaign we’ve exposed in our previous post. The sophisticated campaign targeted .NET developers via NuGet malicious packages, and the JFrog Security team was able to detect and report it as part of our regular activity of exposing supply chain attacks.…

Read More
Malicious campaigns targeting open-source ecosystems are causing a flood of spam, SEO poisoning, and malware infection. The threat actors create malicious websites and publish empty packages with links to those malicious websites, taking advantage of open-source ecosystems’ good reputation on search engines. The attacks caused a Denial of Service (DoS) that made NPM unstable with sporadic “Service Unavailable” errors.…
Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Unit 42 recently discovered a malware campaign targeting Portuguese speakers, which aims to redirect cryptocurrency away from legitimate users’ wallets and into wallets controlled by threat actors instead. To do this, the campaign uses a type of malware known as a cryptocurrency clipper, which monitors the victim’s clipboard for signs that a cryptocurrency wallet address is being copied.…

Read More
Executive SummaryOur insights into a recent NullMixer malware operation revealed Italy and France are the favorite European countries from the opportunistic attackers’ perspective. In thirty days, the operation we monitored was capable to establish initial access to over 8 thousand endpoints and steal sensitive data that are now reaching the underground black markets.…
Read More

The scourge of ransomware attacks that has plagued Windows endpoints over the past half decade or so has, thankfully, not been replicated on Mac devices. With a few unsuccessful exceptions, the notion of locking a Mac device and holding its owner to ransom in return for access to the machine and its data has not yet proven an attractive proposition for attackers.…

Read More

Update 2023-03-21 – We’ve talked with members of the NuGet team and they had already detected and removed the malicious packages in question.

Malicious packages are often spread by the open source NPM and PyPI package repositories, with few other repositories affected. Specifically – there was no public evidence of severe malicious activity in the NuGet repository other than spam packages used for spreading phishing links.…

Read More

MedusaLocker ransomware has been active since September 2019. MedusaLocker actors typically gain access to victims’ networks by exploiting vulnerabilities in Remote Desktop Protocol (RDP).

Once Threat Actors (TAs) gain access to the network, they encrypt the victim’s data and leave a ransom note with instructions on how victims can communicate with the TAs in every folder while encrypting files.…

Read More
Threat Actors Exploiting SVB Collapse Scenario To Launch Cyber-Attacks

Following a bank run on its deposits, Silicon Valley Bank (SVB) experienced a failure on March 10, 2023, and has garnered significant media attention. As SVB has traditionally been the preferred banking partner for many startups worldwide, its failure is expected to significantly impact this community.…

Read More

Affected platforms: WindowsImpacted parties: Any organizationImpact: Cryptojacks vulnerable systemsSeverity level: Critical

Between January and February 2023, FortiGuard Labs observed a payload targeting an exploitable Oracle Weblogic Server in a specific URI. This payload extracts ScrubCrypt, which obfuscates and encrypts applications and makes them able to dodge security programs.…

Read More