Ursnif (aka Gozi, Dreambot, ISFB) is one of the most widespread banking trojans. It has been observed evolving over the past few years. Ursnif has shown incredible theft capabilities. In 2020 Ursnif rose to prominence becoming one of the top ten most prolific pieces of malware.…
Tag: DISCOVERY
We analyze the Black Basta ransomware and examine the malicious actor’s familiar infection tactics.
Black Basta, a new ransomware gang, has swiftly risen to prominence in recent weeks after it caused massive breaches to organizations in a short span of time.
On April 20, 2022, a user named Black Basta posted on underground forums known as XSS.IS…
By: Max Malyutin – Orion Threat Research Team Leader
Read More Cynet’s Threat Research and Intelligence team recently discovered a new malware campaign called BumbleBee. The campaign is unique in its use of Initial Access Brokers’ (IAB) tactics to gain access to victims’ machines. In this post, we will cover what this campaign is, and how the IAB distributes the BumbleBee malware and its TTPs.…
We discovered active exploitation of a vulnerability in the Spring Framework designated as CVE-2022-22965 that allows malicious actors to download the Mirai botnet malware.
Trend Micro Threat Research observed active exploitation of the Spring4Shell vulnerability assigned as CVE-2022-22965, which allows malicious actors to weaponize and execute the Mirai botnet malware.…
Broadcom, have found.
Activity on infected networksIn several cases, the initial activity on victim networks is seen on Microsoft Exchange Servers, suggesting the possibility that a known, unpatched vulnerability in Microsoft Exchange may have been used to gain access to victim networks in some cases.…
Both BLISTER and SocGholish are loaders known for their evasion tactics. Our report details what these loaders are capable of and our investigation into a campaign that uses both to deliver the LockBit ransomware.
The Trend MicroTM Managed XDR team has made a series of discoveries involving the BLISTER loader and SocGholish.…
For the Lazarus threat actor, financial gain is one of the prime motivations, with a particular emphasis on the cryptocurrency business. As the price of cryptocurrency surges, and the popularity of non-fungible token (NFT) and decentralized finance (DeFi) businesses continues to swell, the Lazarus group’s targeting of the financial industry keeps evolving.…
In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam campaigns and has been widely used as an initial access vector in multiple ransomware intrusions.…
By Juan Andres Guerrero-Saade (@juanandres_gs) and Max van Amerongen (@maxpl0it)
Executive SummaryOn Thursday, February 24th, 2022, a cyber attack rendered Viasat KA-SAT modems inoperable in Ukraine. Spillover from this attack rendered 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control.…By Max Kersten, Marc Elias, Leandro Velasco, and Alexandre Mundo Alguacil · March 28, 2022
For over a decade, the PlugX malware has been observed internationally with different variants found around the world. This blog covers a PlugX variant that we have named Talisman, a name we based on comparisons with other PlugX variants, and its rather long life since it first emerged in 2008.…
During the past month, FortiEDR detected a campaign by Deep Panda, a Chinese APT group. The group exploited the infamous Log4Shell vulnerability in VMware Horizon servers. The nature of targeting was opportunistic insofar that multiple infections in several countries and various sectors occurred on the same dates.…
Malicious email and phishing scams are usually topical and follow a pattern of current events, and they typically are crafted around calendar and/or trending issues as attackers realize that victims are interested in all things relevant to the moment. Threat actors are aware that not all recipients will bite, but some will, hence the origin of the term “phishing.”…
Key Takeaways: An in-depth analysis of Midas and trends across other Thanos ransomware variants reveals how ransomware groups shifted tactics in 2021 to:
lower sunk costs by using RaaS builders to reduce development time increase payouts with double extortion tactics by using their own data leak sites extend the length and effectiveness of campaigns to get the highest investment returns by updating payloads and/or rebranding their own ransomware groupAdvertised on the darkweb for Ransomware-as-a-Service (RaaS), Thanos ransomware was first identified in February 2020.…
A Cobalt Strike Cybercrime Syndicate and the Ransomware Hackers’ Favorite Weapon
On March 9, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Secret Service issued an updated alert about the Conti ransomware group, encouraging organizations to review their advisory and apply the recommended mitigations.…
Executive SummaryDeep Instinct’s Threat Research team has found a new, undocumented malware developed in Golang
The malware is attributed to APT-C-23 (Arid Viper)
Further research revealed additional, previously unseen second-stage payloadsNew Malware Variant Discovery: Arid Gopher
Read More Our Threat Research team maintains a vigilant watch over the cyber threat landscape, hunting for malware as a normal course of operations.…
This is the story of piecing together information and research leading to the discovery of one of the largest botnet-as-a-service cybercrime operations we’ve seen in a while. This research reveals that a cryptomining malware campaign we reported in 2018, Glupteba malware, significant DDoS attacks targeting several companies in Russia, including Yandex, as well as in New Zealand, and the United States, and presumably also the TrickBot malware were all distributed by the same C2 server.…
ESET researchers discovered a still-ongoing campaign using a previously undocumented Korplug variant, which they named Hodur due to its resemblance to the THOR variant previously documented by Unit 42 in 2020. In Norse mythology, Hodur is Thor’s blind half-brother, who is tricked by Loki into killing their half-brother Baldr.…
In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities and tasks was remarkably similar to that observed in our previous report, “Exchange Exploit Leads to Domain Wide Ransomware“.…
Key FindingsProofpoint identified a targeted attack leveraging an open-source package installer Chocolatey to deliver a backdoor.
The attack targeted French entities in the construction, real estate, and government industries.
The attacker used a resume themed subject and lure purporting to be GDPR information.
The attacker used steganography, including a cartoon image, to download and install the Serpent backdoor. …
Read More
STEELHOUND, STEELCORGI and Environment Variable Keying
Read More UNC2891 often made use of the STEELCORGI in-memory dropper which decrypts its embedded payloads by deriving a ChaCha20 key from the value of an environment variable obtained at runtime. In many cases, Mandiant was unable to recover the requisite environment variables to decrypt the embedded payloads.…