The LostTrust ransomware operation is a new multi-extortion threat that emerged in September 2023. Our analysis of LostTrust malware payloads indicates that the family is an evolution of SFile and Mindware, and that all three follow similar operations and tradecraft to MetaEncryptor. Similarities between the LostTrust leaks sites and the earlier MetaEncryptor leaks sites are also apparent, while aspects of SFile encryptor previously observed with MetaEncryptor campaigns are still in use with the LostTrust payloads we analyzed.…

Read More

Executive Summary 

EclecticIQ analysts identified a cyber espionage campaign where threat actors used a variant of HyperBro loader with a Taiwan Semiconductor Manufacturing (TSMC) lure, likely to target the semiconductor industry in Mandarin/Chinese speaking East Asian regions (Taiwan, Hong Kong, Singapore). Operational tactics, techniques, and procedures (TTPs) overlap with previously reported activities attributed to People’s Republic of China (PRC) backed cyber espionage group. …

Read More

Published On : 2023-09-29

EXECUTIVE SUMMARY

At CYFIRMA, our commitment is to furnish you with the latest insights into prevalent threats and strategies employed by malicious actors, aiming at both organizations and individuals. This report provides a comprehensive analysis of “The-Murk-Stealer;” an open-source stealer, shedding light on its functionalities and capabilities.…

Read More
Key TakeawaysCyble Research and Intelligence Labs (CRIL) came across a Word document file that spreads via spam email, employing an infection method for disseminating PurpleFox malware. In this malspam campaign, a VBA macro is employed to fetch the initial stage PowerShell script payload. The initial stage PowerShell script functions as a downloader responsible for retrieving a PNG image that conceals hidden content using a form of steganography technique.…
Read More
Key takeawaysCyble Research and Intelligence Labs (CRIL) recently came across a new stealer called “Exela”. Exela is a Python-based open-source stealer that steals a wide range of sensitive information from compromised systems. It features an extensive array of anti-debugging and anti-virtual machine (VM) techniques, making it a potent tool for Threat Actors (TAs).…
Read More

The following write-up and analysis is thanks to Matthew Brennan, Harlan Carvey, Anthony Smith, Craig Sweeney, and Joe Slowik. 

Background

Huntress periodically performs reviews of identified incidents for pattern analysis, and leverages open and closed sources of intelligence to engage in threat hunting operations. At times, a combination of these activities—reviewing what we have already remediated and what we learn from external sources—reveals an overlap in adversary operations against Huntress partners and clients.…

Read More
SUMMARY

Secureworks® Counter Threat Unit™ (CTU) analysis indicates that the GOLD MELODY threat group acts as an initial access broker (IAB) that sells access to compromised organizations for other cybercriminals to exploit. This financially motivated group has been active since at least 2017, compromising organizations by exploiting vulnerabilities in unpatched internet-facing servers.…

Read More
Executive SummarySentinelLabs observes sustained tasking towards strategic intrusions by Chinese threat actors in Africa, designed to extend influence throughout the continent. New attacks include those against telecommunication, finance and government, attributed to the BackdoorDiplomacy APT and the threat group orchestrating Operation Tainted Love. China’s engagement in soft power diplomacy has a lengthy history, yet the use of strategic cyber intrusions highlights recent objectives and potential lasting impact in Africa.…
Read More
Key InsightsAPT29’s pace of operations and emphasis on Ukraine increased in the first half of 2023 as Kyiv launched its counteroffensive, pointing to the SVR’s central role in collecting intelligence concerning the current pivotal phase of the war. During this period, Mandiant has tracked substantial changes in APT29’s tooling and tradecraft, likely designed to support the increased frequency and scope of operations and hinder forensic analysis. …
Read More

We examine the campaigns of the cyberespionage group known as Turla over the years, with a special focus on the key MITRE techniques and the corresponding IDs associated with the threat actor group.

In this blog entry, we examine the campaigns of the cyberespionage group known as Turla over the years, with a special focus on the key MITRE techniques and the corresponding IDs associated with the threat actor group.…

Read More

By Aleksandar Milenkoski, in collaboration with QGroup

Executive SummarySentinelLabs has observed a new threat activity cluster by an unknown threat actor we have dubbed Sandman. Sandman has been primarily targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent. The activities are characterized by strategic lateral movements and minimal engagements, likely to minimize the risk of detection.…
Read More

Recorded Future’s Insikt Group has conducted an analysis of a prolonged cyber-espionage campaign known as TAG-74, which is attributed to Chinese state-sponsored actors. TAG-74 primarily focuses on infiltrating South Korean academic, political, and government organizations. This group has been linked to Chinese military intelligence and poses a significant threat to academic, aerospace and defense, government, military, and political entities in South Korea, Japan, and Russia.…

Read More

Avaddon, a notorious Ransomware-as-a-Service (RaaS) that emerged in early 2019 was known for its double-extortion tactics. It not only encrypted victims’ files but also threatened to release stolen data publicly. Avaddon’s modus operandi involved targeting a diverse range of sectors, including healthcare, government, financial services, legal, hospitality, education, and retail.…

Read More

Summary

BlackBerry has discovered a new campaign we’ve dubbed “Silent Skimmer,” involving a financially motivated threat actor targeting vulnerable online payment businesses in the APAC and NALA regions. The attacker compromises web servers, using vulnerabilities to gain initial access. The final payload deploys payment scraping mechanisms on compromised websites to extract sensitive financial data from users.…

Read More