Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet (formerly Storm-1789), that uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for its financial and cyberespionage objectives. Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a fully functional malicious game, and deliver a new custom ransomware.…
Tag: EDR
Google Chrome has been the dominant web browser for years now, which is why it may come as a surprise to hear of a startup, not even based in Silicon Valley, called The Browser Company offering a new take on the “window to the internet”.
The Arc browser has been available for MacOS since July 2023, but the Windows version was only released a couple of weeks ago.…
Summary: The content discusses the discovery of a backdoor known as KeyPlug, which has been targeting various industries in Italy. The backdoor is attributed to the APT41 threat actor group, believed to have ties to China.
Threat Actor: APT41 | APT41 Victim: Italian industries | Italian industries
Key Point :
The backdoor known as KeyPlug has been targeting Italian industries for several months.…In a recent investigation by Bitdefender Labs, a series of cyberattacks targeting high-level organizations in South China Sea countries revealed a previously unknown threat actor. We’ve designated this group “Unfading Sea Haze” based on their persistence and focus on the region. The targets and nature of the attacks suggest alignment with Chinese interests.…
Published On : 2024-05-24
EXECUTIVE SUMMARYAt CYFIRMA, our commitment is to provide timely insights into prevalent threats and malicious tactics affecting both organizations and individuals. Synapse ransomware has emerged as a new threat in the cyber landscape, appearing in the wild since February 2024. This ransomware is distributed under the Ransomware-as-a-Service (RaaS) model to affiliates via dark web or onion web pages, with its payload, SynapseCrypter.exe.…
Introduction
APT41, known by numerous aliases such as Amoeba, BARIUM, BRONZE ATLAS, BRONZE EXPORT, Blackfly, Brass Typhoon, Earth Baku, G0044, G0096, Grayfly, HOODOO, LEAD, Red Kelpie, TA415, WICKED PANDA, and WICKED SPIDER, is a Chinese-origin cyber threat group recognized for its extensive cyber espionage and cybercrime campaigns. …
Threat Actor: Unknown | Unknown Victim: Congo’s Largest Mining Company | Congo’s Largest Mining Company Price: $300 Exfiltrated Data Type: N/A
Additional Information :
Access Type: Remote Desktop Protocol (RDP) Privileges: Domain Admin Number of Hosts in the Domain: Approximately 200 Security: Protected by OfficeScan EDR Investment Indicator: The mining company recently secured an investment of $75 million, suggesting a revenue exceeding $75 million.…In the constantly changing landscape of cyber threats, ransomware groups adapt their tactics to outmaneuver defenses. Everest Ransomware recently attracted attention in May 2024 for its notable targets. Since its emergence in December 2020, Everest has seemed to infiltrate and compromise organizations using advanced techniques. This profile examines the origins, operational tactics, and mitigation strategies related to Everest Ransomware, offering essential insights for cybersecurity professionals.…
Summary: A malicious crypto mining campaign called ‘REF4578’ has been discovered, deploying a payload named GhostEngine that uses vulnerable drivers to disable security products and deploy a cryptocurrency miner.
Threat Actor: Unknown | Unknown Victim: Unknown | Unknown
Key Point :
The crypto mining campaign, codenamed ‘REF4578,’ uses a payload named GhostEngine to exploit vulnerable drivers and disable security products.…
Preamble
Read More Elastic Security Labs has identified an intrusion set incorporating several malicious modules and leveraging vulnerable drivers to disable known security solutions (EDRs) for crypto mining. Additionally, the team discovered capabilities to establish persistence, install a previously undocumented backdoor, and execute a crypto-miner. We refer to this intrusion set as REF4578 and the primary payload as GHOSTENGINE (tangental research by the team at Antiy has named parts of this intrusion set HIDDENSHOVEL).…
Securonix Threat Research Security Advisory
Read More By Securonix Threat Research: D. Iuzvyk, T. Peck, O. KolesnikovMay 21st, 2024
tldr:An interesting attack campaign has been uncovered which leverages Google Drive and Dropbox to stage malware and exfiltrate sensitive data.
The Securonix Threat Research team has discovered a new sophisticated infection chain, dubbed CLOUD#REVERSER, which leverages popular cloud storage services like Google Drive and Dropbox to orchestrate the threat actor’s malicious operations.…
The Uptycs Threat Research Team has uncovered a large-scale, ongoing operation within the Log4j campaign. Initially detected within our honeypot collection, upon discovery, the team promptly initiated an in-depth analysis to delve into the complexities of this dynamic campaign.…
Dispossessor has recently emerged in the ransomware landscape, and it is especially notable for its similarities to the notorious LockBit group. Following an extensive crackdown by global law enforcement agencies, which led to the seizure of LockBit’s primary domains, Dispossessor quickly surfaced, mimicking the structure and content of LockBit.
Dispossessor’s logo
Who is Dispossessor RansomwareThe name “Dispossessor” could be linked to Ursula K.…
Leveraging Ghidra to establish context and intent behind suspicious strings. Taking things one step further after initial analysis tooling like Pe-Studio and Detect-it-easy.
This is a great technique for working with Ghidra and establishing a starting point for analysis. It reduces total investigation time and allows one to determine why and how a string is contained within a file.…
In the modern Internet society, one can easily obtain information on devices all over the world connected to the Internet using network and device search engines such as Shodan. Threat actors can use these search engines to engage in malicious behaviors such as collecting information on attack targets or performing port scanning attacks against any devices.…
There are two types of malicious documents that are distributed via email recently: those exploiting equation editor and those including external link URLs. This post will describe the infection flow of the DanaBot malware that is distributed through documents containing external links, the latter method, as well as the evidence and detection process with the AhnLab EDR product’s diagram. Figure…
Executive Summary
Read More Rapid7 has observed an ongoing campaign to distribute trojanized installers for WinSCP and PuTTY via malicious ads on commonly used search engines, where clicking on the ad leads to typo squatted domains. In at least one observed case, the infection has led to the attempted deployment of ransomware.…
Malicious Google ad redirects to FakeBat, dropping zgRAT.
FakeBat, tested on May 5, 2024
FakeBat (EugenLoader) is a type of malware loader packaged in Microsoft installers (MSI or MSIX) distributed via social engineering lures. It is most commonly delivered via malicious ads (malvertising) on Google.
The often large installers conceal a malicious PowerShell script responsible for communicating with the malicious infrastructure and retrieving a followup payload.…
SUMMARY
Read More Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers have discovered that the Muddled Libra group now actively targets software-as-a-service (SaaS) applications and cloud service provider (CSP) environments. Organizations often store a variety of data in SaaS applications and use services from CSPs.…