Tag: DISCOVERY

New .NET-Based Ransomware Performs Targeted Attack

Several organizations, big or small, have been facing threats from Threat Actors (TAs) at a greater frequency than ever before. An organization’s primary danger remains losing access to their systems and data, which is further aggravated by the threat of TAs leaking the data if ransom requests are not fulfilled or the victim reaches out to law enforcement authorities. …

Read More

Key points

The Black Hat network is more unique and complex than a standard enterprise network due to the number and diversity of devices connected, the abundance of trainings and labs that occur, and the rapid nature of the engagement itself. Over the course of the conference, our IronDefense NDR solution generated 31 malicious alerts and 45 suspicious alerts, detecting both real malware activity and simulated attack tactics from classes and demos.…
Read More

Summary

Actions for ZCS administrators to take today to mitigate malicious cyber activity:

• Patch all systems and prioritize patching known exploited vulnerabilities.

• Deploy detection signatures and hunt for indicators of compromise (IOCs).

• If ZCS was compromised, remediate malicious activity.

Updated November 10, 2022: This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) with contributions by the Federal Bureau of Investigation (FBI).…

Read More

As we continue to monitor the cyber situation in Ukraine, the data we are seeing shows some interesting trends. Not only has the volume of attacks continued rising throughout the war in Ukraine, the types of attacks have been varied. A common tactic of cyber criminals is to run automated exploit attempts, hitting as many possible targets as they can to see what gets a result.…

Read More

Recently, a simple and short email with a suspicious RTF attachment that had been sent to a telecommunications agency in South Asia caught the attention of FortiGuard Labs. The email was disguised as having come from a Pakistan government division and delivered the PivNoxy malware.

Affected Platforms: WindowsImpacted Parties: Windows usersImpact: Controls victim’s machine and collects sensitive informationSeverity Level: Medium

This blog describes how the attack works, suggests who the threat actor behind the operation might be, and details the techniques used by the attacker.…

Read More
GoLang-based Ransomware targets multiple industries

Cyble Research Labs has observed that malware written in the programming language “Go” has recently been popular among Threat Actors (TAs). This is likely due to its cross-platform functionalities and the fact that it makes reverse engineering more difficult. We have seen many threats developed using the Go language, such as Ransomware, RAT, Stealer, etc.…

Read More
New stealer developing Crypto Miner capabilities

During a routine threat hunting exercise, Cyble Research Labs (CRL) came across a Twitter post wherein researchers mentioned a URL that hosts a Windows executable payload with the name systemupdate.exe. The researcher in the Twitter post claims this Windows executable is a variant of Typhon stealer malware delivered via a crafted .lnk…

Read More
Insights into Onyx Ransomware’s recent Operations

Onyx ransomware was initially identified by researchers in mid-April 2022. The ransomware group uses the double extortion technique to target its victims where it exfiltrates the victim’s data, then encrypts it. If the victim cannot pay the ransom, then Threat Actors (TA) leak the victim’s data on their leak site.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Beginning in early May 2022, Unit 42 observed a threat actor deploying Cuba Ransomware using novel tools and techniques. Using our naming schema, Unit 42 tracks the threat actor as Tropical Scorpius.

Here, we start with an overview of the ransomware and focus on an evolution of behavior observed leading up to deployment of Cuba Ransomware.…

Read More

In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector.

BumbleBee is a malware loader that was first reported by Google Threat Analysis Group in March 2022. Google TAG attributes this malware to an initial access broker (IAB) dubbed EXOTIC LILY, working with the cybercrime group FIN12/WIZARD SPIDER/DEV-0193.…

Read More
New Stealer Being Sold Via MaaS Model

Cyble Research Labs has been actively monitoring various Stealers and blogging about them to keep our readers aware and informed. Recently, we came across a malware sample which turned out to be a new malware variant named “LOLI Stealer.”

LOLI Stealer is an Info Stealer that steals sensitive information such as passwords, cookies, screenshots, etc.,…

Read More
SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”

July 28, 2022

by Paul Rascagneres, Thomas Lancaster, Volexity Threat Research

Volexity tracks a variety of threat actors to provide unique insights and actionable information to its Threat Intelligence customers. One frequently encountered—that often results in forensics investigations on compromised systems—is tracked by Volexity as SharpTongue.…

Read More

Gootloader is a Malware-as-a-Service (MaaS) offering that is spread through Search Engine Optimization (SEO) poisoning to distribute malicious payloads, such as IcedID. Threat actors have begun using IcedID, a former banking trojan, since it’s a stealthier option compared to Cobalt Strike.

In fact, the eSentire Threat Response Unit (TRU) team recently published a security advisory, The Popular Malware Downloader, GootLoader, Expands its Payloads Yet Again, Infecting a Law Firm with IcedID, that outlined TRU’s discovery of threat actors deploying IcedID onto a law firm’s IT environment via an employee’s computer.…

Read More

In June 2022, LockBit revealed version 3.0 of its ransomware. In this blog entry, we discuss the findings from our own technical analysis of this variant and its behaviors, many of which are similar to those of the BlackMatter ransomware.

In March 2022,  less than a year after LockBit 2.0 first emerged, researchers caught wind of an upcoming new variant of the LockBit ransomware. LockBit…

Read More
Introduction

Rootkits are malware implants which burrow themselves in the deepest corners of the operating system. Although on paper they may seem attractive to attackers, creating them poses significant technical challenges and the slightest programming error has the potential to completely crash the victim machine. In our APT predictions for 2022, we noted that despite these risks, we expected more attackers to reach the sophistication level required to develop such tools.…

Read More