Recently, AhnLab Security Emergency response Center (ASEC) has identified that the Hakuna Matata ransomware is being used to attack Korean companies. Hakuna Matata is a ransomware that has been developed relatively recently. The first report related to Hakuna Matata was identified on July 6th, 2023 on Twitter.…
Tag: EMAIL
Key TakeawaysThe blog delves into a new infection approach to disseminating the SectopRAT final payload.
Providing insight into LummaC stealer and its method of procuring the Amadey bot malware.
The Amadey bot replicates itself to ensure persistence, generating an LNK file within the startup folder directory.…
Read More As technology continues to evolve, there is a growing concern about the potential for large language models (LLMs), like ChatGPT, to be used for criminal purposes. In this blog we will discuss two such LLM engines that were made available recently on underground forums, WormGPT and FraudGPT. …
Introduction
Read More In June of 2023, our research team at Zscaler ThreatLabz discovered a threat actor targeting FinTech users in the LATAM region. JanelaRAT involves several tactics, techniques, and procedures (TTPs) such as DLL side-loading, dynamic C2 infrastructure, and a multi-stage attack.
The final malware involved in this campaign is a heavily modified variant of BX RAT.…
From February to July 2023, Netskope Threat Labs has been tracking a staggering 61-fold increase in traffic to phishing pages hosted in Cloudflare R2. The majority of the phishing campaigns target Microsoft login credentials, although there are some pages targeting Adobe, Dropbox, and other cloud apps.…
Python Package Index (PyPI) packages have become a common way for threat actors to post malware that unsuspecting victims may download. The FortiGuard Labs team has been monitoring this attack vector for some time and, earlier this year, began posting a monthly update of the malicious packages we have discovered.…
The highly popular NuGet package, Moq, with total downloads of 475M+, released a new versions 4.20.0 and 4.20.1 on August 8th with a new sub-dependency that has hidden executable code that reads the user’s local git config, extracting the developer’s email address, hashing it, and sending it to a cloud service.…
Notification
Read More This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.…
In June 2023, Trend Micro observed an upgrade to the evasion techniques used by the Batloader initial access malware, which we’ve covered in previous blog entries.
In June 2023, Trend Micro observed an upgrade to the evasion techniques used by the Batloader initial access malware, which we’ve covered in previous blog entries.…
By Jonell Baltazar · August 10, 2023This blog was also written by Antonio Ribeiro
Trellix detected an ongoing campaign using fake Chrome browser updates to lure victims to install a remote administration software tool called NetSupport Manager. Malicious actors abuse this software to steal information and take control of victim computers.…
This post is also available in: 日本語 (Japanese)
Executive SummaryWhile the SugarCRM CVE-2023-22952 zero-day authentication bypass and remote code execution vulnerability might seem like a typical exploit, there’s actually more for defenders to be aware of. Because it’s a web application, if it’s not configured or secured correctly, the infrastructure behind the scenes can allow attackers to increase their impact.…
By Tom Hegel and Aleksandar Milenkoski
Executive SummarySentinelLabs identified an intrusion into the Russian defense industrial base, specifically a missile engineering organization NPO Mashinostroyeniya.Our findings identify two instances of North Korea related compromise of sensitive internal IT infrastructure within this same Russian DIB organization, including a specific email server, alongside use of a Windows backdoor dubbed OpenCarrot.…Affected platforms: WindowsImpacted parties: Any organizationImpact: Controls victim’s device and collects sensitive informationSeverity level: Critical
FortiGuard Labs recently detected a new injector written in Rust—one of the fastest-growing programming languages—to inject shellcode and introduce XWorm into a victim’s environment. While Rust is relatively uncommon in malware development, several campaigns have adopted this language since 2019, including Buer loader, Hive, and RansomExx.…
This is the third part of our research based on an investigation of a series of attacks against industrial organizations in Eastern Europe.
The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems.
In total we have identified over 15 implants and their variants planted by the threat actor(s) in various combinations.…
Key Takeaways
Read More • The blog highlights a new infection technique for distributing STRRAT version 1.6. It involves a spam email with a PDF attachment that, when opened, downloads a zip file containing the malicious JavaScript, which drops STRRAT.• STRRAT version 1.6 employs two string obfuscation techniques: “Zelix KlassMaster (ZKM)” and “Allatori”, making it more challenging for security researchers to analyze and detect the malware.•…
Executive Summary
Read More EclecticIQ analysts assess with high confidence that two observed PDF documents are part of an ongoing campaign targeting Ministries of Foreign Affairs of NATO aligned countries. The PDF files masquerade as coming from the German embassy and contained two diplomatic invitation lures.
One of the PDFs delivered a variant of Duke – a malware that has been linked to Russian state-sponsored cyber espionage activities of APT29.…
August 09, 2023
Shachar Gritzman, Moshe Avraham, Tim Kromphardt, Jake Gionet and Eilon Bendet
Key TakeawaysOver the last six months, Proofpoint researchers have observed a dramatic surge of over 100% in successful cloud account takeover incidents impacting high-level executives at leading companies. Over 100 organizations were targeted globally, collectively representing 1.5 million employees.…
Key TakeawaysThis blog sheds light on a new Tech Scam wherein scammers employ deceptive tactics to lure users into paying for non-existent antivirus solutions.
Uncovering Tech Scammers possible involvement in different ransomware attacks.
The IP address of a domain used in this scam is associated with both the TORZON MARKETPLACE, a DarkWeb marketplace, and the “Chai Urgent Care” phishing campaign.…
Read More If you thought that falling victim to ransomware, or a hacker hijacking your workstation was a nightmare, consider the potential catastrophe of having your Kubernetes (k8s) cluster hijacked. It could be a disaster magnified a million times over.
Kubernetes has gained immense popularity among businesses in recent years due to its undeniable prowess in orchestrating and managing containerized applications.…
Key TakeawaysThe blog highlights a new infection chain for distributing AgenTesla RAT. It involves a spam email with a CPL file that, when executed, downloads a PowerShell script that injects AgentTesla malware in exe and MSbuild.exe.
The PowerShell scripts use obfuscated binary strings to hide malicious code.…
Read More