The LostTrust ransomware operation is a new multi-extortion threat that emerged in September 2023. Our analysis of LostTrust malware payloads indicates that the family is an evolution of SFile and Mindware, and that all three follow similar operations and tradecraft to MetaEncryptor. Similarities between the LostTrust leaks sites and the earlier MetaEncryptor leaks sites are also apparent, while aspects of SFile encryptor previously observed with MetaEncryptor campaigns are still in use with the LostTrust payloads we analyzed.…
Tag: DISCOVERY
The realm of cybersecurity is becoming more and more chaotic with each passing day, and there will always be a new actor entering the world of cybersecurity. The Dark Pink APT Group is one such entity that has recently caught the attention of security researchers and organizations worldwide.…
Executive Summary
Read More EclecticIQ analysts identified a cyber espionage campaign where threat actors used a variant of HyperBro loader with a Taiwan Semiconductor Manufacturing (TSMC) lure, likely to target the semiconductor industry in Mandarin/Chinese speaking East Asian regions (Taiwan, Hong Kong, Singapore). Operational tactics, techniques, and procedures (TTPs) overlap with previously reported activities attributed to People’s Republic of China (PRC) backed cyber espionage group. …
Published On : 2023-09-29
EXECUTIVE SUMMARYAt CYFIRMA, our commitment is to furnish you with the latest insights into prevalent threats and strategies employed by malicious actors, aiming at both organizations and individuals. This report provides a comprehensive analysis of “The-Murk-Stealer;” an open-source stealer, shedding light on its functionalities and capabilities.…
Key TakeawaysCyble Research and Intelligence Labs (CRIL) came across a Word document file that spreads via spam email, employing an infection method for disseminating PurpleFox malware.
In this malspam campaign, a VBA macro is employed to fetch the initial stage PowerShell script payload.
The initial stage PowerShell script functions as a downloader responsible for retrieving a PNG image that conceals hidden content using a form of steganography technique.…
Read More
Key takeawaysCyble Research and Intelligence Labs (CRIL) recently came across a new stealer called “Exela”.
Exela is a Python-based open-source stealer that steals a wide range of sensitive information from compromised systems.
It features an extensive array of anti-debugging and anti-virtual machine (VM) techniques, making it a potent tool for Threat Actors (TAs).…
Read More The following write-up and analysis is thanks to Matthew Brennan, Harlan Carvey, Anthony Smith, Craig Sweeney, and Joe Slowik.
BackgroundHuntress periodically performs reviews of identified incidents for pattern analysis, and leverages open and closed sources of intelligence to engage in threat hunting operations. At times, a combination of these activities—reviewing what we have already remediated and what we learn from external sources—reveals an overlap in adversary operations against Huntress partners and clients.…
SUMMARY
Read More Secureworks® Counter Threat Unit™ (CTU) analysis indicates that the GOLD MELODY threat group acts as an initial access broker (IAB) that sells access to compromised organizations for other cybercriminals to exploit. This financially motivated group has been active since at least 2017, compromising organizations by exploiting vulnerabilities in unpatched internet-facing servers.…
Executive SummarySentinelLabs observes sustained tasking towards strategic intrusions by Chinese threat actors in Africa, designed to extend influence throughout the continent.
New attacks include those against telecommunication, finance and government, attributed to the BackdoorDiplomacy APT and the threat group orchestrating Operation Tainted Love.
China’s engagement in soft power diplomacy has a lengthy history, yet the use of strategic cyber intrusions highlights recent objectives and potential lasting impact in Africa.…
Read More
Key InsightsAPT29’s pace of operations and emphasis on Ukraine increased in the first half of 2023 as Kyiv launched its counteroffensive, pointing to the SVR’s central role in collecting intelligence concerning the current pivotal phase of the war.
During this period, Mandiant has tracked substantial changes in APT29’s tooling and tradecraft, likely designed to support the increased frequency and scope of operations and hinder forensic analysis. …
Read More
Key Takeaways Proofpoint identified a new malware called ZenRAT being distributed via fake installation packages of the password manager Bitwarden.
The malware is specifically targeting Windows users and will redirect people using other hosts to a benign webpage.
At this time, it is unknown how the malware is being distributed. …
Read More
Introduction
Read More This month, “Smishing Triad” has vastly expanded its attack footprint in the UAE. Resecurity, a leader in cybersecurity and threat intelligence, has identified domain names that closely resemble those used by the group in their previous campaigns. Threat actors registered the majority of these UAE-focused domains with Gname.com…
SummaryThe BadBazaar malware family is tied to Chinese hacking group APT15.
In January 2024, Lookout published an in-depth analysis of the iOS variant of BadBazaar.
Previously, Lookout researchers uncovered the Android version in November 2022.
BadBazaar, alongside MOONSHINE spyware, have been known to target Tibetan and Uyghur minorities within China.…
Read More In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, such as Cobalt Strike or Metasploit, the graphical user interface provided by RMMs are more user friendly.…
We examine the campaigns of the cyberespionage group known as Turla over the years, with a special focus on the key MITRE techniques and the corresponding IDs associated with the threat actor group.
In this blog entry, we examine the campaigns of the cyberespionage group known as Turla over the years, with a special focus on the key MITRE techniques and the corresponding IDs associated with the threat actor group.…
By Aleksandar Milenkoski, in collaboration with QGroup
Executive SummarySentinelLabs has observed a new threat activity cluster by an unknown threat actor we have dubbed Sandman. Sandman has been primarily targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent. The activities are characterized by strategic lateral movements and minimal engagements, likely to minimize the risk of detection.…Recorded Future’s Insikt Group has conducted an analysis of a prolonged cyber-espionage campaign known as TAG-74, which is attributed to Chinese state-sponsored actors. TAG-74 primarily focuses on infiltrating South Korean academic, political, and government organizations. This group has been linked to Chinese military intelligence and poses a significant threat to academic, aerospace and defense, government, military, and political entities in South Korea, Japan, and Russia.…
Avaddon, a notorious Ransomware-as-a-Service (RaaS) that emerged in early 2019 was known for its double-extortion tactics. It not only encrypted victims’ files but also threatened to release stolen data publicly. Avaddon’s modus operandi involved targeting a diverse range of sectors, including healthcare, government, financial services, legal, hospitality, education, and retail.…
Summary
BlackBerry has discovered a new campaign we’ve dubbed “Silent Skimmer,” involving a financially motivated threat actor targeting vulnerable online payment businesses in the APAC and NALA regions. The attacker compromises web servers, using vulnerabilities to gain initial access. The final payload deploys payment scraping mechanisms on compromised websites to extract sensitive financial data from users.…