The ASEC analysis team has recently identified that AgentTesla is being distributed through malicious VBS. The script file has multiple codes that have been obfuscated multiple times. AgentTesla has been found to be distributed last May through a Windows Help file (*.chm), and it seems that its distribution method is continuously changing.…
Tag: EMAIL
April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather.
DEV-0206 is now tracked as Mustard Tempest DEV-0243 is now tracked as Manatee Tempest DEV-0950 is now tracked as Lace Tempest DEV-0651 is now tracked as Storm-0651 DEV-0856 is now tracked as Storm-0856To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.…
FortiGuard Labs recently discovered an email pretending to come from the Hungarian government. It informs the user that their new credentials to a governmental portal are attached. The attachment, however, is a zipped executable that, upon execution, extracts the Warzone RAT to memory and runs it.…
Our blog entry provides a look at an attack involving the LV ransomware on a Jordan-based company from an intrusion analysis standpoint
OverviewThe Trend Micro research team recently analyzed an infection related to the LV ransomware group, a ransomware as a service (RaaS) operation that has been active since late 2020, and is reportedly based on REvil (aka Sodinokibi).…
Most malware implements communication with their C2 server over HTTP(S). Why? Just because it works! But they are multiple ways to implement C2 communications: DNS, P2P, Layer 7 (Twitter), … Another one that has become less popular with time is SMTP (email communications). I spotted a malicious Python script that exchanges information with its C2 server through emails. …
Our latest Brand Phishing Report for Q3 2022 highlights the brands which were most frequently imitated by criminals in their attempts to steal individuals’ personal information or payment credentials during July, August and September.
While LinkedIn was the most imitated brand in both Q1 and Q2 2022, it’s shipping company DHL that took the top spot in Q3, accounting for twenty-two percent of all phishing attempts worldwide.…
By Nati Tal (Guardio Labs) — BadEx II
TL;DRThe “Dormant Colors” is yet another vast campaign of malicious extensions with millions of active installations worldwide, this time with a color-related theme and full of deception all through the chain. It starts with the trickery malvertising campaign, continues with a crafty novel way to side-load the real malicious code without anyone noticing (until now!),…
Summary
Actions to take today to mitigate cyber threats from ransomware:
Install updates for operating systems, software, and firmware as soon as they are released. Require phishing-resistant MFA for as many services as possible. Train users to recognize and report phishing attempts.Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.…
This post is also available in: 日本語 (Japanese)
Executive SummaryPalo Alto Networks Advanced URL Filtering subscription collects data regarding two types of URLs; landing URLs and host URLs. We define a malicious landing URL as one that provides an opportunity for a user to click a malicious link.…
While monitoring the Dark web for emerging threats, our researcher at Cyble Research and Intelligence Labs (CRIL) found a post where Threat Actors (TAs) advertising a project named “Temp” and selling a loader and stealer. The TA named them Temp Loader and Temp Stealer, respectively.…
In April, VMware patched a vulnerability CVE-2022-22954. It causes server-side template injection because of the lack of sanitization on parameters “deviceUdid” and “devicetype”. It allows attackers to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager. FortiGuard Labs published Threat Signal Report about it and also developed IPS signature in April.…
The Wordfence Threat Intelligence team has been monitoring exploit attempts targeting two zero-day vulnerabilities in Microsoft Exchange Server tracked as CVE-2022-41040 and CVE-2022-41082, collectively known as ProxyNotShell. These vulnerabilities are actively being exploited in the wild. At the time of writing, we have observed 1,658,281 exploit attempts across our network of 4 million protected websites.…
Minutes make the difference to defenders in responding to a ransomware attack on a victim’s network. BianLian ransomware raises the cybercriminal bar by encrypting files with exceptional speed.
Threat actors built the new BianLian ransomware in the Go programming language (aka Golang). Despite the large size of files created in Go, threat actors are turning to this “exotic” programming language more often for a variety of reasons, particularly its robust support for concurrency.…
Phishing sites are becoming an increasingly attractive target for Threat Actors (TAs) to lure victims into stealing sensitive information, and downloading other malware, such as RAT, Ransomware, etc., to damage the victim’s machine. Generally, the link of these phishing pages arrives to users via SMS, Email, social networks, etc.…
Research By: Karthickkumar K
…
Online digital tools are used by many people today simply due to their ease of use and the fact that they provide a platform for the user to perform various operations effectively. These tools are web-based software hosted on websites and can be accessed via the internet without having to download and install anything on the user’s machine.…
Checkmarx discovered ~200 malicious NPM packages with thousands of installations linked to an attack group called “LofyGang”.
This attack group has been operating for over a year with multiple hacking objectives:
Credit card information Discord “Nitro” (premium) upgrades Streaming services accounts (e.g. Disney+), Minecraft accounts, and more.…Contributions from Matt Thaxton.
Cisco Talos discovered a new attack framework including a command and control (C2) tool called “Alchimist” and a new malware “Insekt” with remote administration capabilities. The Alchimist has a web interface in Simplified Chinese with remote administration features. The attack framework is designed to target Windows, Linux and Mac machines.…A tech support scam is an extensive fraud where the scammer offers a support service for any legitimate entity and lures the victim into contacting the scammer via a fake support helpline number. After contacting the helpline, the scammer gains access to the victim’s machine and can perform activities such as fraudulent transactions, stealing sensitive data, etc.…
We analyzed a QAKBOT-related case leading to a Brute Ratel C4 and Cobalt Strike payload that can be attributed to the threat actors behind the Black Basta ransomware.
SummaryQAKBOT’s malware distribution resumed on September 8, 2022 following a brief hiatus, when our researchers spotted several distribution mechanisms on this date.…