Table of Contents

During a recent hunt, Qualys Threat Research has come across a ransomware family known as Phobos, impersonating VX-Underground. Phobos ransomware has been knocking on our door since early 2019 and is often seen being distributed via stolen Remote Desktop Protocol (RDP) connections. Strongly believed to be closely tied to the preceding Dharma malware, Phobos usually operates as a Ransomware-as-a-Service (RaaS) threat model.…

Read More

Microsoft Threat Intelligence has uncovered a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp., a software company that develops multimedia software products. This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload.…

Read More

Author: Alex Jessop (@ThisIsFineChief)

Summary Tl;dr

This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving the Ransomware-as-a-Service known as NoEscape.

Below provides a summary of findings which are presented in this blog post: 

Initial access gained via a publicly disclosed vulnerability in an externally facing server Use of vulnerable drivers to disable security controls Remote Desktop Protocol was used for Lateral Movement Access persisted through tunnelling RDP over SSH Exfiltration of data via Mega Execution of ransomware via scheduled taskNoEscape

NoEscape is a new financially motivated ransomware group delivering a Ransomware-as-a-Service program which was first observed in May 2023 being advertised on a dark web forum, as published by Cyble [1].…

Read More

By Securonix Threat Research: Den Iuzvyk, Tim Peck, Oleg Kolesnikov

tldr:

An interesting ongoing SEO poisoning/malvertising campaign leveraging WinSCP lures along with a stealthy  infection chain lures victims into installing malware (alongside the legitimate WinSCP software). Attackers are likely leveraging dynamic search ads which let threat actors inject their own malicious code while mimicking legitimate sources like Google search pages.…

Read More
SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…

Read More
Executive Summary

The Black Lotus Labs team has discovered a highly unique piece of malware designed to compromise the security of the extended Berkeley Packet Filter (eBPF) functionality in the Linux kernel of container-based operating systems, like CoreOS. eBPF is a programmable framework that allows users to run code within the kernel of Linux systems, without having to write a kernel-specific module.…

Read More

AhnLab Security Emergency response Center (ASEC) detected circumstances of a malware strain being distributed through breached legitimate websites using various file names, prompting users to run them. This post will introduce how AhnLab EDR analyzes and detects the method of malware distribution using LNK files as the medium, a method that has been employed often in recent times.…

Read More

The hacker collective called GhostSec has unveiled an innovative Ransomware-as-a-Service (RaaS) framework called GhostLocker. They provide comprehensive assistance to customers interested in acquiring this service through a dedicated Telegram channel. Presently, GhostSec is focusing its attacks on Israel. This move represents a surprising departure from their past activities and stated agenda.…

Read More

Researchers recently identified a fresh Gootloader malware variant known as “GootBot,” used in SEO poisoning attacks. This variant introduces features that enable threat actors to move laterally within infected systems, and make it challenging for organizations to detect or block.

Gootloader has predominantly served as an initial access provider, with certain infections leading to ransomware incidents.…

Read More
Unveiling the Dark Side: A Deep Dive into Active Ransomware Families Author: Ross Inman (@rdi_x64) Introduction

Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements.  

In case you missed it, last time we analysed an Incident Response engagement involving BlackCat Ransomware.…

Read More

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Unit 42 researchers have investigated a series of destructive cyberattacks beginning in January 2023 and continuing as recently as October 2023, targeting the education and technology sectors in Israel.

The attacks are characterized by attempts to steal sensitive data, such as personally identifiable information (PII) and intellectual property.…

Read More