Key FindingsThe SECUINFRA Falcon Team identified a recent attack consitent with the campaign targeting Bangladesh conducted by the advanced persistent threat group “Bitter”, also known as T-APT-17.
Bitter employs malicious document files as lures containing different implementations of the so-called “Equation Editor exploits” to download following malware stages.…
Read More Tag: DEFENSE EVASION
Raccoon Stealer was one of the most prolific information stealers in 2021, being used by multiple cybercriminal actors. Due to its wide stealing capabilities, the customizability of the malware and its ease of use, Raccoon Stealer was highly popular among threat actors. The malware was mainly distributed using fake installers, or as cracked versions of popular software.…
During our routine threat hunting exercise, Cyble Research Labs came across a Twitter Post wherein the researcher mentioned an Android malware variant published on the Play Store. The variant in question acts as a Hostile Downloader and downloads the Hydra Banking Trojan.
The downloaded app has the same functionality as recently encountered Hydra variants targeting Columbia.…
Executive SummaryAoqin Dragon, a threat actor SentinelLabs has been extensively tracking, has operated since 2013 targeting government, education, and telecommunication organizations in Southeast Asia and Australia.
Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices.
Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.…
Read More This research was conducted by Ross Inman (@rdi_x64) and Peter Gurney from NCC Group Cyber Incident Response Team. You can find more here Incident Response – NCC Group
tl;drThis blog post documents some of the TTPs employed by a threat actor group who were observed deploying Black Basta ransomware during a recent incident response engagement, as well as a breakdown of the executable file which performs the encryption.…
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP.…
UNC2165 Overlaps with Evil Corp Activity
Read More OFAC sanctions against Evil Corp in December 2019 were announced in conjunction with the Department of Justice’s (DOJ) unsealing of indictments against individuals for their roles in the Bugat malware operation, updated versions of which were later called DRIDEX. DRIDEX was believed to operate under an affiliate model with multiple actors involved in the distribution of the malware.…
Recently Cyble researchers came across a post where a researcher mentioned about fake Proof of Concept (POC) of CVE-2022-26809. Upon further investigation, we discovered that it’s malware disguised as an Exploit. Similarly, we found a malicious sample that appears to be a fake POC of CVE-2022-24500.…
ВведениеОбщие сведенияАнализ ВПО и инструментовMyKLoadClientСхема 1Схема 2Тестовый образецПолезная нагрузкаZupdaxПолезная нагрузкаСвязь с RedsipСвязи с Winnti и FF-RATСвязи с Bronze Union и TA428ЗагрузчикиDownloader.Climax.ADownloader.Climax.BRtlShareДроппер rtlstat.dllИнжектор rtlmake.dllПолезная нагрузка rtlmain.dll (rtlmainx64.dll)Использование RtlSharePlugXDemo dropperBH_A006Стадия 0.…
Read More Summary
Update June 2, 2022:
This Cybersecurity Advisory (CSA) has been updated with additional indicators of compromise (IOCs) and detection signatures, as well as tactics, techniques, and procedures (TTPs) from trusted third parties.
Update End
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this CSA to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination.…
Since the beginning of the ongoing Russia-Ukraine War, some ransomware and hacking groups have publicly declared which side they are on. Such actions have created tension internally within the threat actor groups as it has caused dissension, and externally, as organizations fear being targeted due to the political nature of the war.…
This blog post was authored by Hossein Jazi and Jérôme Segura
Populations around the world—and in Europe in particular—are following the crisis in Ukraine very closely, and with events unfolding on a daily basis, people are hungry for information.
Although all countries have reasons to be concerned, the situation is Germany is more complicated than most.…
Published On : 2022-05-12
Onyx Ransomware ReportSuspected Malware: onyx RansomwareFunction: RansomwareRisk Score: 8Confidence Level: HighThreat actor Associations: Unknown
Executive Summary:The activity of new ransomware named “Onyx” was first observed in the second half of April 2022. This ransomware group has seven victims listed on its data leak page[.onion…
By: Max Malyutin – Orion Threat Research Team Leader
Read More Cynet’s Threat Research and Intelligence team recently discovered a new malware campaign called BumbleBee. The campaign is unique in its use of Initial Access Brokers’ (IAB) tactics to gain access to victims’ machines. In this post, we will cover what this campaign is, and how the IAB distributes the BumbleBee malware and its TTPs.…
This post is also available in: 日本語 (Japanese)
Executive SummaryRecently, we’ve identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.
Some of SolarMarker’s capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims’ web browsers.…
Both BLISTER and SocGholish are loaders known for their evasion tactics. Our report details what these loaders are capable of and our investigation into a campaign that uses both to deliver the LockBit ransomware.
The Trend MicroTM Managed XDR team has made a series of discoveries involving the BLISTER loader and SocGholish.…
For the Lazarus threat actor, financial gain is one of the prime motivations, with a particular emphasis on the cryptocurrency business. As the price of cryptocurrency surges, and the popularity of non-fungible token (NFT) and decentralized finance (DeFi) businesses continues to swell, the Lazarus group’s targeting of the financial industry keeps evolving.…
In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam campaigns and has been widely used as an initial access vector in multiple ransomware intrusions.…
Morphisec Labs has detected a new wave of Remcos trojan infection. The theme of the phishing emails is again financial, this time as payment remittances sent from financial institutions. The attacker lures a user to open a malicious Excel file that contains “confidential information” which starts the infection chain.…
This post describes the technical analysis of a new campaign detected by Intezer’s research team, which initiates attacks with a phishing email that uses conversation hijacking to deliver IcedID.
The underground economy is constantly evolving with threat actors specializing in specific fields. One field that has bloomed in the last few years is initial access brokers.…