In April 2022, PT Expert Security Center detected an attack on a number of Russian media and energy companies that used a malicious document called «list.docx» to extract a malicious payload packed with VMProtect. Having analyzed the network packet, we found it to be identical to the one we studied in our report on APT31 tools, suggesting that these may belong to one and the same group.…
Tag: DEFENSE EVASION
By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
Last Updated: July 20, 2022
IntroductionThe Securonix Threat Research (STR) team has been observing and investigating a new attack campaign exploiting high-value targets, including Czech Republic, Poland, and other countries. The attack campaign has been tracked by STR as STIFF#BIZON.…
In April 2022, ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised Mac and exclusively uses public cloud storage services to communicate back and forth with its operators. Following analysis, we named it CloudMensis. Its capabilities clearly show that the intent of its operators is to gather information from the victims’ Macs by exfiltrating documents, keystrokes, and screen captures.…
Published On : 2022-07-13
NukeSped RAT ReportSuspected Malware: NukeSped MalwareFunction: RATRisk Score: 8Confidence Level: HighThreat actor Associations: Lazarus Group (North Korea)
Executive Summary:The NukeSped malware is a remote access trojan (RAT) and has been attributed to the threat actor Lazarus Group. The group has been active since 2009 and remain active in 2022 and continue its operation to target countries mainly in Asia Pacific Region.…
Summary
Actions to take today:
• Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.…
Key FindingsThe SECUINFRA Falcon Team identified a recent attack consitent with the campaign targeting Bangladesh conducted by the advanced persistent threat group “Bitter”, also known as T-APT-17.
Bitter employs malicious document files as lures containing different implementations of the so-called “Equation Editor exploits” to download following malware stages.…
Read More Raccoon Stealer was one of the most prolific information stealers in 2021, being used by multiple cybercriminal actors. Due to its wide stealing capabilities, the customizability of the malware and its ease of use, Raccoon Stealer was highly popular among threat actors. The malware was mainly distributed using fake installers, or as cracked versions of popular software.…
During our routine threat hunting exercise, Cyble Research Labs came across a Twitter Post wherein the researcher mentioned an Android malware variant published on the Play Store. The variant in question acts as a Hostile Downloader and downloads the Hydra Banking Trojan.
The downloaded app has the same functionality as recently encountered Hydra variants targeting Columbia.…
Executive SummaryAoqin Dragon, a threat actor SentinelLabs has been extensively tracking, has operated since 2013 targeting government, education, and telecommunication organizations in Southeast Asia and Australia.
Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices.
Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.…
Read More This research was conducted by Ross Inman (@rdi_x64) and Peter Gurney from NCC Group Cyber Incident Response Team. You can find more here Incident Response – NCC Group
tl;drThis blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of the executable file which performs the encryption.…
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP.…
UNC2165 Overlaps with Evil Corp Activity
Read More OFAC sanctions against Evil Corp in December 2019 were announced in conjunction with the Department of Justice’s (DOJ) unsealing of indictments against individuals for their roles in the Bugat malware operation, updated versions of which were later called DRIDEX. DRIDEX was believed to operate under an affiliate model with multiple actors involved in the distribution of the malware.…
Recently Cyble researchers came across a post where a researcher mentioned about fake Proof of Concept (POC) of CVE-2022-26809. Upon further investigation, we discovered that it’s malware disguised as an Exploit. Similarly, we found a malicious sample that appears to be a fake POC of CVE-2022-24500.…
ВведениеОбщие сведенияАнализ ВПО и инструментовMyKLoadClientСхема 1Схема 2Тестовый образецПолезная нагрузкаZupdaxПолезная нагрузкаСвязь с RedsipСвязи с Winnti и FF-RATСвязи с Bronze Union и TA428ЗагрузчикиDownloader.Climax.ADownloader.Climax.BRtlShareДроппер rtlstat.dllИнжектор rtlmake.dllПолезная нагрузка rtlmain.dll (rtlmainx64.dll)Использование RtlSharePlugXDemo dropperBH_A006Стадия 0.…
Read More Summary
Update June 2, 2022:
This Cybersecurity Advisory (CSA) has been updated with additional indicators of compromise (IOCs) and detection signatures, as well as tactics, techniques, and procedures (TTPs) from trusted third parties.
Update End
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this CSA to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination.…
Since the beginning of the ongoing Russia-Ukraine War, some ransomware and hacking groups have publicly declared which side they are on. Such actions have created tension internally within the threat actor groups as it has caused dissension, and externally, as organizations fear being targeted due to the political nature of the war.…
This blog post was authored by Hossein Jazi and Jérôme Segura
Populations around the world—and in Europe in particular—are following the crisis in Ukraine very closely, and with events unfolding on a daily basis, people are hungry for information.
Although all countries have reasons to be concerned, the situation is Germany is more complicated than most.…
Published On : 2022-05-12
Onyx Ransomware ReportSuspected Malware: onyx RansomwareFunction: RansomwareRisk Score: 8Confidence Level: HighThreat actor Associations: Unknown
Executive Summary:The activity of new ransomware named “Onyx” was first observed in the second half of April 2022. This ransomware group has seven victims listed on its data leak page[.onion…
By: Max Malyutin – Orion Threat Research Team Leader
Read More Cynet’s Threat Research and Intelligence team recently discovered a new malware campaign called BumbleBee. The campaign is unique in its use of Initial Access Brokers’ (IAB) tactics to gain access to victims’ machines. In this post, we will cover what this campaign is, and how the IAB distributes the BumbleBee malware and its TTPs.…
This post is also available in: 日本語 (Japanese)
Executive SummaryRecently, we’ve identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.
Some of SolarMarker’s capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims’ web browsers.…