On April 26th, we identified a suspicious email that targeted a government official from Jordan’s foreign ministry. The email contained a malicious Excel document that drops a new backdoor named Saitama. Following our investigation, we were able to attribute this attack to the known Iranian Actor APT34.…
Tag: EMAIL
Key Findings
Proofpoint has analyzed a novel malware variant which utilizes significant anti-analysis and anti-reversing capabilities.
The malware, written in the Go programming language, uses multiple open-source Go libraries for conducting malicious activities.
The malware, called Nerbian remote access trojan (RAT) leverages COVID-19 and World Health Organization themes to spread.…
Read More
INTRODUCTION:
Identified by Proofpoint as the threat actor behind the Contact Forms campaign, TA578 also appears to be pushing ISO files for Bumblebee malware through thread-hijacked emails. These threat-hijacked emails either have links to storage.googleapis.com URLs similar to those used in the Contact Forms campaign, or they have password-protected zip attachments. …
Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers’ usual victims.
As part of this, there’s a new trojan based on Apost Talos is calling “ZxxZ,” that, among other features, includes remote file execution capability.…
Read More
Table of Contents
Read More
Ursnif (aka Gozi, Dreambot, ISFB) is one of the most widespread banking trojans. It has been observed evolving over the past few years. Ursnif has shown incredible theft capabilities. In 2020 Ursnif rose to prominence becoming one of the top ten most prolific pieces of malware.…
We analyze the Black Basta ransomware and examine the malicious actor’s familiar infection tactics.
Black Basta, a new ransomware gang, has swiftly risen to prominence in recent weeks after it caused massive breaches to organizations in a short span of time.
On April 20, 2022, a user named Black Basta posted on underground forums known as XSS.IS…
Introduction:
Read More
It started with a seemingly benign email, dealing with the purchase of a vehicle, and ended in a reveal of a months’ long campaign targeting German organizations. Most of the targets are related to the German auto-industry sector and the attacks were designed to deploy various types of info-stealing malware.…
Broadcom Software, has observed the North Korea-linked advanced persistent threat (APT) group known as Lazarus conducting an espionage campaign targeting organizations operating within the chemical sector. The campaign appears to be a continuation of Lazarus activity dubbed Operation Dream Job, which was first observed in August 2020.…
By: Max Malyutin – Orion Threat Research Team Leader
Read More
Cynet’s Threat Research and Intelligence team recently discovered a new malware campaign called BumbleBee. The campaign is unique in its use of Initial Access Brokers’ (IAB) tactics to gain access to victims’ machines. In this post, we will cover what this campaign is, and how the IAB distributes the BumbleBee malware and its TTPs.…
Overview
Read More
Recently, CNCERT and 360netlab worked together and discovered a rapidly spreading DDoS botnet on the Internet. The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and alsomore than 100 DDoS victims beingtargeted on a daily basis.…
Emotet was first found in the wild in 2014. Back then its main functionality was stealing user banking credentials. Since then it has survived numerous transformations, started delivering other malware and finally became a powerful botnet. In January 2021 Emotet was disrupted by a joint effort of different countries’ authorities.…
Emotet is a malware family that steals sensitive and private information from victims’ computers. The malware has infected more than a million devices and is considered one of the most dangerous threats of the decade.
In addition to analyzing threats, FortiGuard Labs also focuses on how malware spreads.…
By Jer O’Donovan, Cofense Phishing Defense Center
COVID-19 has become an ever-present topic in our lives since the start of 2020. With this we’ve seen threat actors leveraging the pandemic with themes related to remote working, vaccination status, and back to the office surveys or general updates.…
Introduction
Credential stealing malware is commonly observed in the landscape of cyber attacks today. Zscaler ThreatLabz team has discovered many new types of stealer malwares across different attack campaigns. Stealers are malicious programs that threat actors use to collect sensitive information with various techniques including keylogging, cookie stealing, and sending stolen information to the Command and Control Server. …
Remcos RAT (Remote Access Trojan) was originally designed as a professional tool to remotely control computers. Remcos RAT is recognized as a malware family because it has been abused by hackers to secretly control victims’ devices since its first version was published on July 21, 2016.…
Introduction
Since Wednesday 2022-03-30, at least 16 samples of a specific Excel file have been submitted to VirusTotal. These malicious Excel files are distributed as email attachments. Post-infection traffic triggers signatures for Win32/MetaStealer Related Activity from the EmergingThreats Pro (ETPRO) ruleset. This infection process uses data binaries to create the malicious EXE and DLL files used for the infection.…Authored by Vallabh Chole and Oliver Devane
Scammers are very quick at reacting to current events, so they can generate ill-gotten gains. It comes as no surprise that they exploited the current events in Ukraine, and when the Ukrainian Twitter account tweeted Bitcoin and Ethereum wallet addresses for donations we knew that scammers would use this as a lure for their victims.…
By Edmund Brumaghin, with contributions from Alex Karkins.
Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims. The infections leverage process injection to evade detection by endpoint security software. These campaigns appear to be linked to a new version of the 3LOSH crypter, previously covered here.…Both BLISTER and SocGholish are loaders known for their evasion tactics. Our report details what these loaders are capable of and our investigation into a campaign that uses both to deliver the LockBit ransomware.
The Trend MicroTM Managed XDR team has made a series of discoveries involving the BLISTER loader and SocGholish.…
Found in Environments Protected By:
Proofpoint | Microsoft
By Kyle Duncan and Dylan Main, Cofense Phishing Defense Center
Tax season can be a stressful time for many people, and it comes as no surprise that every year threat actors look to capitalize on this by using a variety of new tactics to exploit their targets’ accounts and systems.…