The ASEC analysis team has recently discovered the distribution of Quasar RAT through the private Home Trading System (HTS). No information could be found when looking up the HTS called HPlus that was used in the attack. Furthermore, the company’s name could not be found in even the clause of the installation process, so it is assumed that the victims did not install their HTS from an institutional financial company, but instead, they got HPlus HTS through an unsanctioned source or a disguised financial investment company.…
Tag: DISCOVERY
Executive Summary
SentinelLabs has observed the first Linux variant of Cl0p ransomware.
The ELF executable contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom.
SentinelLabs has published a free decryptor for this variant here.
Background
Read More
SentinelLabs observed the first ELF variant of Cl0p (also known as Clop) ransomware variant targeting Linux systems on the 26th of December 2022.…
In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command and control server (C2). Upon performing initial discovery and user enumeration, the threat actor used AutoHotkey to launch a keylogger.…
Introduction
Read More
Zscaler’s ThreatLabz research team diligently monitors and tracks active threat campaigns globally to rapidly detect new developments and proactively safeguard Zscaler customers. The seven case studies that follow provide an in-depth analysis of the AveMaria infostealer attack chain and how it has been shifting over the past six months.…
In September of last year, our Incident Response team was called to an incident that was identified as an attempt of social engineering an online customer service platform. Due to custom-built rules and extensive employee awareness training, we were able to push back these threats. By ingesting the tactics, techniques & procedures (TTPs) of the incident into our autonomous enrichment technology, Arpia, we were able to detect and respond to three other incidents, preventing our clients from being compromised by the mysterious threat actor.…
Last updated at Tue, 14 Feb 2023 15:22:44 GMT
Author: Thomas ElkinsContributors: Matt Green, James Dunne, and Hernan Diaz
Rapid7 routinely conducts research into the wide range of techniques that threat actors use to conduct malicious activity. One objective of this research is to discover new techniques being used in the wild, so we can develop new detection and response capabilities.…
Evasive Malware Targeting Remote Desktop Files
Read More
Information stealers are malware designed to steal sensitive information from infected computers, such as login credentials, financial data, and personal information. They typically do this by searching for specific types of files and data on the infected computer and then exfiltrating that information to a remote server controlled by the attackers.…
by Joe Stewart and Keegan Keplinger, Security Researchers with eSentire‘s Threat Response Unit (TRU)
Executive SummaryFor the past 16 months, eSentire’s security research team, the Threat Response Unit (TRU), has been tracking one of the most capable and stealthy malware suites — Golden Chickens. Golden Chickens is the “cyber weapon of choice” for three of the top money making, longest-running Internet crime groups: Russia-based FIN6 and Cobalt Group and Belarus-based Evilnum.…
Uncovering the Secrets of the Command and Control Panel
Read More
A new trend has been observed among Threat Actors (TAs) of using Golang for their information stealer malware. Golang, also known as Go, is a programming language developed by Google known for its simplicity, efficiency, and performance.…
Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.
Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.…
This post is also available in: 日本語 (Japanese)
Executive SummaryRecently, our Unit 42 incident response team was engaged in a Black Basta breach response that uncovered several tools and malware samples on the victim’s machines, including GootLoader malware, Brute Ratel C4 red-teaming tool and an older PlugX malware sample.…
In this blog entry, we’d like to highlight our findings on Vice Society, which includes an end-to-end infection diagram that we were able to create using Trend Micro internal telemetry.
Updated on January 26, 2023 to remove references to Kape Tool and to remove Trend Micro Apex One from the list of programs that the ransomware disables.…
Investigators: Nico Agnese, Maor Elizen, Marion Habiby, Ryan Joye, Vikas Parthasarathy, Adam Sell, Mikhail Venkov
In this post:
HUMAN’s Satori Threat Intelligence and Research Team uncovered and took down a sophisticated ad fraud operation we’ve dubbed VASTFLUX. This private takedown of an expansive and complex threat embodies the power of modern defense and collective protection.…Written by Jon DiMaggio.
Table of Contents
I gotta story to tell…
The LockBit ransomware gang is one of the most notorious organized cybercrime syndicates that exists today. The gang is behind attacks targeting private-sector corporations and other high-profile industries worldwide. News and media outlets have documented many LockBit attacks, while security vendors offer technical assessments explaining how each occurred.…
Botnet with Clipper Capabilities being pushed via Phishing Sites
Read More
The Amadey bot is a Trojan that was first discovered in 2018 and is used to steal sensitive information from the infected device. Initially, it was found to be distributed through exploit kits, and Threat Actors (TAs) utilized it to deploy other malware, such as the GrandCrab ransomware and the Flawed Ammyy Remote Access Trojan.…
At the end of November 2022, experts from Bitdefender Labs started to notice an increase in attacks using ProxyNotShell/OWASSRF exploits chains to target on-premises Microsoft Exchange deployments. SSRF attacks on Microsoft Exchange servers are some of the most popular and routinely exploited vulnerabilities. We decided to release a technical advisory describing these attacks, but also documenting some of the recent attacks that we’ve detected in the wild. …
Research by: Karthickkumar Kathiresan and Shilpesh Trivedi
The Uptycs threat research team recently discovered a campaign involving the Titan Stealer malware, which is being marketed and sold by a threat actor (TA) through a Telegram channel for cybercrime purposes. The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files.…
Since May 2022, eSentire’s Threat Response Unit (TRU) has observed 11 cases of Raspberry Robin infections. Although the initial access vector is an infected USB drive, however it’s unclear how the USB drives were initially infected. Raspberry Robin hosts its payloads on compromised QNAP servers with the malicious files being stored on USB drives as shortcuts.…
Published On : 2023-01-23
Executive SummaryResearch team at CYFIRMA recently discovered a malicious PDF file being distributed through email. The PDF file redirects the user to a cloud-based platform where they are prompted to download a ZIP file. Inside the ZIP file is a shortcut link, which when executed, uses PowerShell to download a heavily obfuscated VBS script known as GuLoader.…
Summary
Three key takeaways from our analysis of Vidar infrastructure:
Russian VPN gateways are potentially providing anonymity for Vidar operators / customers, making it more challenging for analysts to have a complete overview of this threat. These gateways now appear to be migrating to Tor.
Vidar operators appear to be expanding their infrastructure, so analysts need to keep them in their sights.…