By Edmund Brumaghin, Azim Khodjibaev and Matt Thaxton, with contributions from Arnaud Zobec.

Executive Summary Dark Utilities, released in early 2022, is a platform that provides full-featured C2 capabilities to adversaries. It is marketed as a means to enable remote access, command execution, distributed denial-of-service (DDoS) attacks and cryptocurrency mining operations on infected systems.…
Read More
New Stealer Being Sold Via MaaS Model

Cyble Research Labs has been actively monitoring various Stealers and blogging about them to keep our readers aware and informed. Recently, we came across a malware sample which turned out to be a new malware variant named “LOLI Stealer.”

LOLI Stealer is an Info Stealer that steals sensitive information such as passwords, cookies, screenshots, etc.,…

Read More
Continuing our initiative of sharing VirusTotal’s visibility to help researchers, security practitioners and the general public better understand the nature of malicious attacks, we are proud to announce our “Deception at scale: How malware abuses trust” report. 

This time, we focused on different techniques used by malware to bypass defenses and make social engineering attacks more effective.…
Read More
Info Stealer Targeting Browsers and Crypto Wallets

The popularity of Cryptocurrency has increased exponentially over the recent years as dealing with crypto has become relatively hassle-free and more accessible. The financial returns of crypto investments have attracted many investors to invest in crypto markets.

As the demand for crypto investment has increased over the years, we can also see a corresponding rise in the number of crypto wallets.…

Read More

A few months ago, we reported on an interesting site called the Chameleon Phishing Page. These websites have the capability to change their background and logo depending on the user’s domain. The phishing site is stored in IPFS (InterPlanetary File System) and after reviewing the URLs used by the attacker, we noticed an increasing number of phishing emails containing IPFS URLs as their payload.  …

Read More

A few days ago we discovered a very interesting sample that was uploaded from Iran. The document is a contract for the supply of services to an energy company from southern Iran  «Tavangoostar Niro va Gashtavar Jonob». The document also contains a link to this energy company.…

Read More
Blog By: David Ledbetter

July 25, 2022

The sample today is an Office DocumentSha256: 2cc30a017cf7312c737be593f36f2d84dd38c285a75512c9ab2e78f0bc1ba48b

Found Here on InQuest Labs.

We see the lure here trying to get the user to enable content in order to run whatever surprise they have hidden inside. After viewing these in a hex editor to see what I am dealing with I usually decompress them and look thru the folder system.…

Read More
Threat Actors Leveraging Microsoft Applications to Deliver Cobalt-Strike Beacons

DLL (Dynamic-Link Library) sideloading is a technique used by Threat Actors to infect users using legitimate applications which load malicious DLL files that spoof legitimate ones. Recently Cyble Research Labs published a blog about Qakbot malware that leverages a calculator to perform DLL Sideloading.…

Read More
SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”

Volexity tracks a variety of threat actors to provide unique insights and actionable information to its Threat Intelligence customers. One frequently encountered—that often results in forensics investigations on compromised systems—is tracked by Volexity as SharpTongue.…

Read More

In June 2022, LockBit revealed version 3.0 of its ransomware. In this blog entry, we discuss the findings from our own technical analysis of this variant and its behaviors, many of which are similar to those of the BlackMatter ransomware.

In March 2022,  less than a year after LockBit 2.0 first emerged, researchers caught wind of an upcoming new variant of the LockBit ransomware. LockBit…

Read More
Threat Actors Leveraging DLL-SideLoading to Deliver Malware

During a routine threat-hunting exercise, Cyble Research Labs came across a Twitter post wherein a researcher shared new IoCs related to the infamous Qakbot malware.

For initial infection, Qakbot uses an email mass spamming campaign. The Qakbot Threat Actors (TAs) have continuously evolved their infection techniques ever since it was initially identified in the wild.…

Read More
Executive summary

Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks. Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine — this time aimed at a large software development company whose software is used in various state organizations within Ukraine.…

Read More

July 21, 2022

Bryan Campbell, Pim Trouerbach, Selena Larson and the Proofpoint Threat Research Team

Key Findings TA4563 is a threat actor leveraging EvilNum malware to target European financial and investment entities, especially those with operations supporting foreign exchanges, cryptocurrency, and decentralized finance (DeFi). EvilNum is a backdoor that can be used for data theft or to load additional payloads.…
Read More

In April 2022, ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised Mac and exclusively uses public cloud storage services to communicate back and forth with its operators. Following analysis, we named it CloudMensis. Its capabilities clearly show that the intent of its operators is to gather information from the victims’ Macs by exfiltrating documents, keystrokes, and screen captures.…

Read More

Fortinet’s FortiGuard Labs captured a phishing email as part of a phishing campaign spreading a new variant of QakBot. Also known as QBot, QuackBot, or Pinkslipbot, QakBot is an information stealer and banking Trojan that has been captured and analyzed by security researchers since 2007.

I performed a deep analysis on this phishing campaign and the new QakBot variant using the captured email.…

Read More
Redeemer 2.0 being distributed via Affiliate Program

Cyble Research Labs has constantly been tracking emerging threats as well as their delivery mechanisms from Ransomware groups, RATs, etc. During a routine threat-hunting exercise, we came across the latest version of Redeemer ransomware on darkweb cybercrime forums. The below figure shows a post made by the Redeemer Ransomware Developer named “Cerebrate” on a cybercrime forum.…

Read More