QR Codes, the square images that contain coded information that can be scanned by a smartphone, are becoming increasingly popular. With the number of smartphone users reaching 6.92 billion this year, access to the information within these ingenious images is within reach by around 86% of the world’s population.…
Tag: EMAIL
Analysis and Report by Fabian Marquardt (@marqufabi)
Recently, Telekom Security CTI was made aware via trust groups in which we are engaged about a new malware campaign that is distributed via phishing emails. The malspam campaign used stolen email threads to lure victim users into clicking the contained hyperlink, which downloaded the malware.…
On the morning of August 24, Phylum’s automated risk detection system identified a suspicious package published to npm called “emails-helper.” A deeper investigation revealed that this package was part of an intricate attack involving Base64-encoded and encrypted binaries. The scheme fetches encryption keys from a DNS TXT record hosted on a remote server.…
AhnLab Security Emergency response Center (ASEC) has recently discovered cases of proxyjacking targeting poorly managed MS-SQL servers. Publicly accessible MS-SQL servers with simple passwords are one of the main attack vectors used when targeting Windows systems. Typically, threat actors target poorly managed MS-SQL servers and attempt to gain access through brute force or dictionary attacks.…
We’ve previously reported on a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID malware. This case, which also ended in Nokoyawa Ransomware, involved the threat actor deploying the final ransomware only 12 hours after the initial compromise.
This threat actor delivered a password protected ZIP file via HTML smuggling to organizations back in late October, early November 2022.…
This article is not an in-depth reverse-engineering analysis of a ransomware variant. Rather, it discusses the methods and different techniques used to uncover previous ransomware campaigns.
When a ransomware is successful out in the wild, it is a common to see cybercriminals use the same ransomware samples — slightly tweaking their codebase — to pilot other projects.…
The Monti ransomware collective has restarted their operations, focusing on institutions in the legal and governmental fields. Simultaneously, a new variant of Monti, based on the Linux platform, has surfaced, demonstrating notable differences from its previous Linux-based versions.
IntroductionThe Monti ransomware, which has both Windows and Linux-based variants, gained attention from cybersecurity organizations and researchers when it was first discovered in June 2022 because of its striking resemblance to the infamous Conti ransom ware — not just in name but also the tactics that the threat actors used.…
Notification
Read More This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.…
By Trellix · August 17, 2023 This story was also written by Phelix Oluoch
Executive SummaryScattered Spider, also referred to as UNC3944, Scatter Swine, and Muddled Libra, is a financially motivated threat actor group that has been active since May 2022. Scattered Spider has largely been observed targeting telecommunications and Business Process Outsourcing (BPO) organizations.…
Cisco Talos discovered the North Korean state-sponsored actor Lazarus Group targeting internet backbone infrastructure and healthcare entities in Europe and the United States. This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.…
Read More
In the Lazarus Group’s latest campaign, which we detailed in a recent blog, the North Korean state-sponsored actor is exploiting CVE-2022-47966, a ManageEngine ServiceDesk vulnerability to deploy multiple threats. In addition to their “QuiteRAT” malware, which we covered in the blog, we also discovered Lazarus Group using a new threat called “CollectionRAT.”…
Read More
Executive Summary
Read More In March 2023, Lumen Black Lotus Labs reported on a complex campaign called “HiatusRAT” that infected over 100 edge networking devices globally. The campaign leveraged edge routers, or “living on the edge” access, to passively collect traffic and functioned as a covert network of command and control (C2) infrastructure. …
The evolution of the ransomware landscape has seen a shift from the more traditional approach involving Windows payloads to ones targeting other platforms, most notably Linux. In this shift, ransomware operators are shortening the time gaps between different payload releases and bringing feature parity across diverse platforms.…
Published On : 2023-08-18
EXECUTIVE SUMMARYThe CYFIRMA research team has discovered a new Malware-as-a-service (MaaS) operator that goes by the moniker EVLF DEV. This threat actor is responsible for the development of CypherRAT and CraxsRAT, which in the last 3 years was purchased by over 100 distinct threat actors on a lifetime license.…
Note: The following is a redacted version of a larger report. For full and comprehensive details of this attack, please enquire about our CTI-on-demand service.
SummaryBlackBerry has discovered and documented new tools used by the Cuba ransomware threat group.
Cuba ransomware is currently into the fourth year of its operation and shows no sign of slowing down.…
As cyber threats continue to evolve, a new ransomware has been discovered bearing unmistakable similarities to another well-known ransomware variant, Lockbit.
It is noteworthy to point out that Lockbit’s source code was leaked around a year ago, making it possible for other threat actors to potentially develop new variants based on this.…
ESET Research
ESET researchers have observed a new phishing campaign targeting users of the Zimbra Collaboration email server.
Viktor Šperka
17 Aug 2023 • , 5 min. read
ESET researchers have uncovered a mass-spreading phishing campaign, aimed at collecting Zimbra account users’ credentials, active since at least April 2023 and still ongoing.…
Gozi strikes again, targeting banks, cryptocurrency and more
formgrabber module and was often classified as Ursnif/Snifula due to the shared codebase. With these capabilities, Gozi CRM quickly gained attention in the cybercriminal community.
In September 2010, a significant event occurred that would shape the future of Gozi.…
Starting from May 2023, researchers from Cofense discovered a large-scale phishing campaign using QR codes in attacks aimed at stealing the Microsoft credentials of users from multiple industries
One of the organizations targeted by hackers is a notable energy company in the US.
“Beginning in May 2023, Cofense has observed a large phishing campaign utilizing QR codes targeting the Microsoft credentials of users from a wide array of industries.”…
Recently, AhnLab Security Emergency response Center (ASEC) has identified that the Hakuna Matata ransomware is being used to attack Korean companies. Hakuna Matata is a ransomware that has been developed relatively recently. The first report related to Hakuna Matata was identified on July 6th, 2023 on Twitter.…