Key TakeawaysCyble Research & Intelligence Labs (CRIL) encountered a typosquatted domain of Sophos.
The phishing site contains a malware payload embedded within its source code.
When a user visits this site, the malware is automatically downloaded to the victim’s machine without requiring any user interaction.…
Read More Tag: EMAIL
Cisco Talos recently discovered a new malware family we’re calling “HTTPSnoop” being deployed against telecommunications providers in the Middle East.
HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint.…
Read More
Introduction
Read More In July 2023, Zscaler ThreatLabz discovered new malicious activity perpetuated by the Pakistan-based advanced persistent threat group (APT36). APT36 is a sophisticated cyber threat group with a history of conducting targeted espionage operations in South Asia. We observed APT36 targeting Indian government sectors using a previously undocumented Windows RAT, new cyber espionage utilities for Linux, new distribution mechanisms, and a new attack vector used against the Linux environment. …
Published On : 2023-09-17
EXECUTIVE SUMMARYAt Cyfirma, we are committed to providing up-to-date information on the most prevalent threats and tactics used by malicious actors to target both organizations and individuals. In this analysis, we delve into a trending information stealer RedLine. This investigation reveals a novel strain of malware that is being disseminated in the guise of a counterfeit document, packaged within a zip archive that houses a batch script file.…
This post is also available in: 日本語 (Japanese)
Executive SummaryTurla (aka Pensive Ursa, Uroburos, Snake) is a Russian-based threat group operating since at least 2004, which is linked to the Russian Federal Security Service (FSB). In this article, we will cover the top 10 most recently active types of malware in Pensive Ursa’s arsenal: Capibar, Kazuar, Snake, Kopiluwak, QUIETCANARY/Tunnus, Crutch, ComRAT, Carbon, HyperStack and TinyTurla.…
Key Takeaways
Read More • Cyble Research and Intelligence Labs (CRIL) came across Python malware capturing screenshots and sending them over FTP to remote attackers.• Proofpoint has observed similar campaigns in the recent past targeting the United States and Germany, with the perpetrator tracked as “TA866”.• This particular campaign targets Tatar language-speaking users who primarily reside in a particular region of Russia.•…
Introduction
Read More Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. This report takes a close look at the history of the Cuba group, and their attack tactics, techniques and procedures.…
On August 29, 2023, Retool notified 27 cloud customers that there had been unauthorized access to their accounts. If you’re reading this and you were not notified, don’t worry – your account was not impacted. There was no access to on-prem or managed accounts. Nevertheless, here’s what happened, with the hope that this will help apply the lessons we’ve learned and prevent more attacks across the industry.…
Authored by Yashvi Shah
Agent Tesla functions as a Remote Access Trojan (RAT) and an information stealer built on the .NET framework. It is capable of recording keystrokes, extracting clipboard content, and searching the disk for valuable data. The acquired information can be transmitted to its command-and-control server via various channels, including HTTP(S), SMTP, FTP, or even through a Telegram channel.…
Research by: Niv Asraf
Abstract
In the last two months, Check Point researchers encountered a new large-scale phishing campaign that recently targeted more than 40 prominent companies across multiple industries, in Colombia. The attackers’ objective was to discreetly install the notorious “Remcos” malware on victims’ computers.…
In the battle of hackers against defenders, we consistently find hackers trying to disguise their true intent. We have analyzed an interesting sample that was armed with multiple layers of obfuscation. These packages were quite the challenge. However, the attackers have not yet realized that no amount of obfuscation can hide their intentions.…
Booking engines – they make the worlds of travel and hospitality spin around. Estimated at over $US 500 billion, this market moves fast. These engines are a critical, nearly invisible part of the hospitality industry, and their security is essential to protect guests’ personal and financial information.…
Affected platforms: WindowsImpacted parties: Any organizationImpact: Remote attackers steal credentials, sensitive information, and cryptocurrencySeverity level: Critical
In August, FortiGuard Labs obtained a Word document containing a malicious URL designed to entice victims to download a malware loader. This loader employs a binary padding evasion strategy that adds null bytes to increase the file’s size to 400 MB.…
Notification
Read More This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.…
Introduction
Read More Zscaler ThreatLabz recently discovered a new stealing campaign dubbed as the “Steal-It” campaign. In this campaign, the threat actors steal and exfiltrate NTLMv2 hashes using customized versions of Nishang’s Start-CaptureServer PowerShell script, executing various system commands, and exfiltrating the retrieved data via Mockbin APIs.
Through an in-depth analysis of the malicious payloads, our team observed a geofencing strategy employed by the campaign, with specific focus on targeting regions including Australia, Poland, and Belgium.…
Affected platforms: Microsoft WindowsImpacted parties: Windows UsersImpact: Collects sensitive information from a victim’s computerSeverity level: Critical
Our FortiGuard Labs captured a phishing campaign that spreads a new Agent Tesla variant. This well-known malware family uses a .Net-based Remote Access Trojan (RAT) and data stealer to gain initial access.…
BlueShell is a backdoor developed in Go. It is available on GitHub and supports Windows, Linux, and Mac operating systems. Currently, it seems the original GitHub repository has been deleted, but the BlueShell source code can be downloaded from other repositories. Notably, the ReadMe file containing the guidelines is in Chinese, and this suggests that the creator may be a Chinese speaker.…
Investigating the Senders
Read More Using Microsoft Purview’s eDiscovery tool we searched for the senders (participants) in Microsoft Teams.
The senders of the external Microsoft Teams chat messages were identified as “Akkaravit Tattamanas” (63090101@my.buu.ac.th) and “ABNER DAVID RIVERA ROJAS” (adriverar@unadvirtual.edu.co). Truesec Threat Intelligence confirmed the accounts were compromised via an unknown malware and put up for sale on the Dark Web in August 2023.…
The AhnLab Security Emergency response Center (ASEC) analysis team has recently discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group, is being distributed again. The CHM malware in distribution operates in a similar way to the “CHM Malware Disguised as Security Email from a Korean Financial Company”[1] covered in March of this year and also uses the same commands used in the “2.3.…
Security teams are well aware of the growing problem of software supply chain attacks, but it’s essential that organizations stay abreast of the various threats posed to software supply chains.
One of the pain points that organizations need to learn more about and defend against is malicious campaigns found on open-source software repositories.…