This post is also available in: 日本語 (Japanese)
Executive SummaryIn May 2021, Palo Alto Networks launched a proactive detector employing state-of-the-art methods to recognize malicious domains at the time of registration, with the aim of identifying them before they are able to engage in harmful activities.…
Published On : 2022-10-14
Infostealer Prynt Malware a Deep Dive into Its Process Injection Technique EXECUTIVE SUMMARYCYFIRMA Research team has seen an uptick in threat actor orchestrated cyber campaigns aimed at stealing confidential and sensitive information. Infostealers like “Prynt” are used to exfiltrate information as the first step leading into orchestration of sophisticated attacks which may include deployment of ransomwares.…
This is the fourth blog post in a four-part series. Read Part 1 | Part 2 | Part 3.
In Part 3, CrowdStrike’s Endpoint Protection Content Research Team covered the finer points of Input/Output Control (IOCTL) usage by various wipers. The fourth and final part of the wiper series covers some of the rarely used “helper” techniques implemented by wipers, which achieve secondary goals or facilitate a smaller portion of the wiping process.…
Phishing sites are becoming an increasingly attractive target for Threat Actors (TAs) to lure victims into stealing sensitive information, and downloading other malware, such as RAT, Ransomware, etc., to damage the victim’s machine. Generally, the link of these phishing pages arrives to users via SMS, Email, social networks, etc.…
Online digital tools are used by many people today simply due to their ease of use and the fact that they provide a platform for the user to perform various operations effectively. These tools are web-based software hosted on websites and can be accessed via the internet without having to download and install anything on the user’s machine.…
Contributions from Matt Thaxton.
Cisco Talos discovered a new attack framework including a command and control (C2) tool called “Alchimist” and a new malware “Insekt” with remote administration capabilities. The Alchimist has a web interface in Simplified Chinese with remote administration features. The attack framework is designed to target Windows, Linux and Mac machines.…We analyzed a QAKBOT-related case leading to a Brute Ratel C4 and Cobalt Strike payload that can be attributed to the threat actors behind the Black Basta ransomware.
SummaryQAKBOT’s malware distribution resumed on September 8, 2022 following a brief hiatus, when our researchers spotted several distribution mechanisms on this date.…
By Daksh Kapur · October 6, 2022
What is BazarCall?
As nicely defined in this article by Microsoft:
BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold called by the attacker, except in BazarCall’s case, targeted users must dial the number.…
Cyble Research and Intelligence Labs (CRIL) has continuously monitored phishing campaigns that distribute different malware families. Recently, CRIL spotted an adult website, distributing a fake ransomware executable. The Fake Ransomware does not encrypt files instead it changes file names and their extensions, drops ransom notes, and threatens victims to pay ransom like usual ransomware families.…
ThreatLabz recently discovered a sample of the multi-function malware LilithBot in our database. Further research revealed that this was associated with the Eternity group (a.k.a. EternityTeam; Eternity Project), a threat group linked to the Russian “Jester Group,” that has been active since at least January 2022.…
As endpoint detection and response (EDR) solutions improve malware detection efficacy on Windows systems, certain state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays, and VMware ESXi servers.
Earlier this year, Mandiant identified a novel malware ecosystem impacting VMware ESXi, Linux vCenter servers, and Windows virtual machines that enables a threat actor to take the following actions:
Maintain persistent administrative access to the hypervisor Send commands to the hypervisor that will be routed to the guest VM for execution Transfer files between the ESXi hypervisor and guest machines running beneath it Tamper with logging services on the hypervisor Execute arbitrary commands from one guest VM to another guest VM running on the same hypervisorThis malware ecosystem was initially detected when Mandiant Managed Defense identified attacker commands sourced from the legitimate VMware Tools process, vmtoolsd.exe,…
Earlier this year, we started hunting for possible new DeftTorero (aka Lebanese Cedar, Volatile Cedar) artifacts. This threat actor is believed to originate from the Middle East and was publicly disclosed to the cybersecurity community as early as 2015. Notably, no other intelligence was shared until 2021, which led us to speculate on a possible shift by the threat actor to more fileless/LOLBINS techniques, and the use of known/common offensive tools publicly available on the internet that allows them to blend in.…
Sygnia recently investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs. Further analysis revealed that Cheerscrypt and Night Sky are both rebrands of the same threat group, dubbed ‘Emperor Dragonfly’ by Sygnia.
‘Emperor Dragonfly’ (A.K.A. DEV-0401 / BRONZE STARLIGHT) deployed open-source tools that were written by Chinese developers for Chinese users.…
DJVU ransomware arrives on the scene masquerading as legitimate services or applications, or bundled with decoy files, in order to appear benign. The malware group also partners with other threats, giving them the option to download and deploy information stealers to exfiltrate data, giving threat actors a second way to benefit at victims’ expense.…
Ransomware is one of the most serious cybersecurity threats and possibly the most effective form of cybercrime that plagues organizations today. It has quickly become one of the most prominent and profitable types of malware for cybercriminals.
“Bl00dy” is a new ransomware strain targeting organizations using double extortion techniques.…
ReversingLabs has discovered a malicious npm package disguised as the software tool Material Tailwind. Here’s an in-depth look at our discovery — and threat analysis.…
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates.
In this intrusion, we see the threat actor use BumbleBee to deploy Cobalt Strike and Meterpreter.…
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.
This report details multiple campaigns conducted by the likely Chinese state-sponsored threat activity group TA413. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis.…
Broadcom Software, tracks as Coreid (aka FIN7, Carbon Spider). Darkside was used in the Colonial Pipeline ransomware attack in May 2021. The extreme amount of public and law enforcement attention that attack attracted led Coreid to shut down Darkside and replace it with BlackMatter. Coreid runs a ransomware-as-a-service (RaaS) operation, which means it develops the ransomware but it is deployed by affiliates for a cut of the profits.…
This post is also available in: 日本語 (Japanese)
Executive SummaryCybercriminals compromise domain names to attack the owners or users of the domains directly, or use them for various nefarious endeavors, including phishing, malware distribution, and command and control (C2) operations. A special case of DNS hijacking is called domain shadowing, where attackers stealthily create malicious subdomains under compromised domain names.…