Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.…
Tag: EDR
UPDATED: 1 June 2023 @ 1733 ET – Added shareable Huntress YARA rule for assistance in detection effortUPDATED: 1 June 2023 @ 2023 ET – Added Kostas community Sigma rule to assist in detection effortsUPDATED: 1 June 2023 @ 2029 ET – Added screenshots for the DLL that creates the human2.aspx…
Microsoft has uncovered stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States. The attack is carried out by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering.…
In this blog post, we will provide details on a BlackCat ransomware incident that occurred in February 2023, where we observed a new capability, mainly used for the defense evasion phase.
Executive SummaryIn late December 2022, Mandiant, Sophos and Sentinel One, via a coordinated disclosure, reported malicious kernel drivers being signed through several Microsoft hardware developer accounts (certified by Microsoft’s Windows Hardware Developer Program).…
Last year, we reported the growing use of the commercial offensive security tool Brute Ratel by criminal actors, including those behind Black Cat ransomware incidents. After public exposure of a version of the tool, many were concerned that Brute Ratel would become widely adopted as the successor to Cobalt Strike, the long-lived and long-abused offensive security tool that has been the go-to for malicious actors’ lateral movement needs.…
Summary
Read More Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…
Water Orthrus has been active recently with two new campaigns. CopperStealth uses a rootkit to install malware on infected systems, while CopperPhish steals credit card information. This blog will provide the structure of the campaign and how they work.
Since 2021, we have been tracking the activities of a threat actor we called Water Orthrus, which distributed CopperStealer malware via pay-per-install (PPI) networks.…
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.…
By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
TL;DRAn unusual attack/phishing campaign delivering malware while using meme-filled code and complex obfuscation methods continues dropping Xworm payloads for the last few months and is still ongoing today.
IntroFor the last few months, an interesting and ongoing attack campaign was identified and tracked by the Securonix Threat Research team.…
Authored by: Anandeshwar Unnikrishnan
Stage 1: GULoader Shellcode DeploymentIn recent GULoader campaigns, we are seeing a rise in NSIS-based installers delivered via E-mail as malspam that use plugin libraries to execute the GU shellcode on the victim system. The NSIS scriptable installer is a highly efficient software packaging utility.…
This post is also available in: 日本語 (Japanese)
Executive SummaryRoyal ransomware has been involved in high-profile attacks against critical infrastructure, especially healthcare, since it was first observed in September 2022. Bucking the popular trend of hiring affiliates to promote their threat as a service, Royal ransomware operates as a private group made up of former members of Conti.…
Executive Summary
Read More On 21st March 2023, EclecticIQ researchers detected a spearphishing email targeting the healthcare industry in Poland. The spoofed email was designed to appear as legitimately sent from a Polish government entity called the National Health Fund (Narodowy Fundusz Zdrowia – NFZ).
The email contained a malicious Microsoft Excel XLL attachment that can download and execute Vidar Infostealer malware upon user execution.…
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.…
With recent reports that Charming Kitten group (aka Mint Sandstorm) is actively targeting critical infrastructure in the US and other countries, we would like to share the most recent insights from Bitdefender Labs about modernization of Charming Kitten’s tactics, techniques, and procedures, including a new, previously unseen malware.…
Introduction
Read More Infoblox analyzes over 70 billion DNS records each day, along with millions of domain-related records from other sources, to identify suspicious and malicious domains throughout the internet. Our algorithms work in series, making near-real time decisions on some domains using our Threat Insight infrastructure, while other decisions are made over time, leveraging a longitudinal profile of the domain.…
By Securonix Threat Labs, Threat Research: Den Iuzvyk, Tim Peck, Oleg Kolesnikov
TL;DRThe Securonix Threat Research team (STR) has recently observed a new attack campaign tracked by Securonix as OCX#HARVESTER. Some of the malicious payloads leveraged as part of the attack campaign observed appear to be related to the More_eggs malicious payloads reported earlier [1].…
Over the past several months, Sophos X-Ops has investigated multiple incidents where attackers attempted to disable EDR clients with a new defense evasion tool we’ve dubbed AuKill. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.…
The Uptycs threat research team has discovered a new Linux malware, Poseidon, deployed by the APT-36 group, also known as Transparent Tribe. This Pakistan-based advanced persistent threat group is notorious for targeting Indian government organizations, military personnel, and defense contractors.…
Over the past several months, Microsoft has observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly-targeted phishing campaigns to quickly and successfully access environments of interest.…
The Aurora stealer is a notorious Golang-based information stealer that’s been gaining popularity from the end of 2022 through the first quarter of 2023. The Morphisec Threat Labs team has been tracing its activities using our prevention telemetry along with dark-web activities. …