The Qakbot malware has reappeared just four months after law enforcement disrupted its distribution in the “Duck Hunt” operation. Lately, various security companies have noticed the malware spreading through phishing emails. Microsoft, which discovered this, described it as a small-scale campaign starting on December 11, 2023, specifically targeting the hospitality industry.…
Tag: EDR
Authors: Karthickkumar Kathiresan, Shilpesh Trivedi
Known for its history of relentless cyber-attacks against Ukrainian targets, the UAC-0050 threat group is at it again. But this time, Uptycs researchers have discovered an advanced strategy that allows for a more clandestine data transfer channel, effectively circumventing detection mechanisms employed by Endpoint Detection and Response (EDR) and antivirus systems.…
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.…
A new plant has grown in the desert of cyber threats, wielding its thorns to pierce through organizations and individuals alike. The Cactus Ransomware Group, a name recently whispered with curiosity across the cybersecurity realm, has emerged from the shadows, sowing seeds of chaos and disruption in its wake.…
Key Takeaways
On September 29, 2023, the QBit Ransomware-as-a-Service (RaaS) group introduced a newly developed ransomware crafted in Go.
On October 9, 2023, the QBit Team unveiled qBit Stealer, developed in the Go language, highlighting its claim of being undetectable by Endpoint Detection and Response solutions (EDRs).…
Read More
SUMMARY
Read More
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…
SUMMARY
Read More
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers have observed threat actors using malicious JavaScript samples to steal sensitive information by abusing popular survey sites, low-quality hosting and web chat APIs. In some campaigns, attackers created chatbots that they registered to someone noteworthy such as an Australian footballer.…
In early September 2023, ReliaQuest detected suspicious process executions within a customer’s environment, originating from the Windows debug directory. Our subsequent investigation revealed these executions as part of a more significant cyber-threat incident that resulted in double extortion: the encryption of customer data, followed by ransomware deployment and a threat to publicly release the data. …
Executive Summary
Read More
The Black Lotus Labs team at Lumen Technologies is tracking a small office/home office (SOHO) router botnet that forms a covert data transfer network for advanced threat actors. We are calling this the KV-botnet, based upon artifacts in the malware left by the authors.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
In the ever-evolving landscape of cybersecurity threats, one name that consistently surfaces as a force to be reckoned with is “PlugX.” This covert and insidious malware has left a trail of digital intrigue, combining advanced features with a knack for eluding detection. Its history is interwoven with cyber espionage, targeted attacks, and a continuous cat-and-mouse game with security experts (1)(2).…
Targeted attacks
Unknown threat actor targets power generator with DroxiDat and Cobalt Strike
Read More
Earlier this year, we reported on a new variant of SystemBC called DroxiDat that was deployed against a critical infrastructure target in South Africa. This proxy-capable backdoor was deployed alongside Cobalt Strike beacons.…
By Securonix Threat Research: D.Iuzvyk, T.Peck, O.Kolesnikov
tl;drThreat actors working as part of DB#JAMMER attack campaigns are compromising exposed MSSQL databases using brute force attacks and appear to be well tooled and ready to deliver ransomware and Cobalt Strike payloads.
In an interesting attack campaign, the Securonix Threat Research team has identified threat actors targeting exposed Microsoft SQL (MSSQL) services using brute force attacks.…
◈ Executive Summary
Using the delivery method of HWP documents containing malicious OLE through deception and access through foreign news channel interviews
Execution of encrypted PowerShell commands using the FlowerPower APT attack tool series
Setting up the code hosting platform GitHub for version control and collaboration as a command center for threat commands
Effect of minimizing damage through threat visibility and early detection with Genian EDR solution
1.…
Read More
During the various phases of an attack, it’s not uncommon for threat actors to use “living off the land” binaries (LOLBins) or scripts and libraries (LOLBAS). Doing so means that the threat actor has fewer tools to bring with them, and it also reduces their chances of being detected because they’re hiding amongst seemingly normal activity within the environment. …
Leveraging Ghidra to establish context and intent behind suspicious strings. Taking things one step further after initial analysis tooling like Pe-Studio and Detect-it-easy.
This is great technique for working with Ghidra and establishing a starting point for analysis. Reducing total investigation time and determining why and how a string is contained within a file.…
Table of Contents
Read More
During a recent hunt, Qualys Threat Research has come across a ransomware family known as Phobos, impersonating VX-Underground. Phobos ransomware has been knocking on our door since early 2019 and is often seen being distributed via stolen Remote Desktop Protocol (RDP) connections. Strongly believed to be closely tied to the preceding Dharma malware, Phobos usually operates as a Ransomware-as-a-Service (RaaS) threat model.…
Microsoft Threat Intelligence has uncovered a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp., a software company that develops multimedia software products. This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload.…