Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
Play is a new ransomware that takes a page out of Hive and Nokoyawa’s playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people.
In July, we investigated a spate of ransomware cases in the Latin American region that targeted government entitles, which was initially attributed to a new player known as Play ransomware.…
Author: Tomer Bar, VP Security Research, SafeBreach
SafeBreach Labs researchers are constantly monitoring the hacker underground, sourcing intelligence feeds, and conducting original research to uncover new threats and ensure our Hacker’s Playbook provides the most comprehensive collection of attacks. As part of this ongoing effort, we recently discovered a new targeted attack we believe is compelling for four main reasons:
It appears to target Farsi-speaking code developers by using a Microsoft Word document that includes a Microsoft Dynamic Data Exchange (DDE) exploit.…Earlier this year, [redacted] encountered a relatively new ransomware threat actor that called themselves BianLian. We observed the actor deploying custom malware that was written in the Go programming language, which posed some initial, but not insurmountable, reverse-engineering challenges.
BianLian used subtle techniques to exploit, enumerate, and move laterally in victim networks to remain undetected and aggressively worked to counter Endpoint Detection & Response (EDR) protections during the encryption phase of their operations.…
Stealing information is fundamental to cybercriminals today to scope and gain access to systems, profile organizations, and execute bigger payday schemes like ransomware. Information stealer malware families including Prynt Stealer are often configured through a builder to facilitate the process for less sophisticated threat actors. However, Zscaler ThreatLabz researchers have uncovered the Prynt Stealer builder, also attributed with WorldWind, and DarkEye, has a secret backdoor in the code that ends up in every derivative copy and variant of these malware families.…
Corporate espionage, also known as industrial espionage, is espionage conducted for commercial or financial purposes. One of the common misconceptions is that espionage is affecting only large corporations or government entities, but it is more common than expected. In this article, we provide an analysis of one such exfiltration and explain why these attacks are on the rise. …
During our routine threat-hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across a Twitter post wherein a researcher mentioned an interesting JavaScript skimmer created by the Magecart threat group (a consortium of malicious hacker groups who target online shopping cart systems) that steals payment information from the Magento e-commerce website.…
By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
IntroductionThe Securonix Threat research team has recently identified a unique sample of a persistent Golang-based attack campaign tracked by Securonix as GO#WEBBFUSCATOR. The new campaign incorporates an equally interesting strategy by leveraging the infamous deep field image taken from the James Webb telescope and obfuscated Golang programming language payloads to infect the target system with the malware.…
During a routine threat hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on a cybercrime forum where a Threat Actor (TA) released MiniStealer’s builder and panel for free.
The TA claims that the stealer can target operating systems such as Windows 7, 10, and 11.…
A malicious campaign spreading the information stealer, AgentTesla, began circulating mid-August. The bad actors behind the campaign are going after information about victims’ computers and login credentials stored in browsers.
Phishing emails, sent from spoofed email addresses, with a malicious attachment are being sent to businesses across South America and Europe.…
In a recent blog, Cyble Research Labs (CRL) has highlighted an International Bank Account Number (IBAN) Clipper Malware after identifying a Threat Actor (TA) on a cybercrime forum offering monthly subscription-based services of clipper malware targeting Windows operating systems.…
Introduction
Today’s diary is a quick post of an Astaroth (Guildma) malware infection I generated todayy on Friday 2022-08-19 from a malicious Boleto-themed email pretending to be from Grupo Solução & CIA. Boleto is a payment method used in Brazil, while Grupo Solução & CIA is Brazil-based company.…
Recently, a simple and short email with a suspicious RTF attachment that had been sent to a telecommunications agency in South Asia caught the attention of FortiGuard Labs. The email was disguised as having come from a Pakistan government division and delivered the PivNoxy malware.
Affected Platforms: WindowsImpacted Parties: Windows usersImpact: Controls victim’s machine and collects sensitive informationSeverity Level: Medium
This blog describes how the attack works, suggests who the threat actor behind the operation might be, and details the techniques used by the attacker.…
The Cybereason Global Security Operations Center (GSOC) Team issues Cybereason Threat Analysis Reports to inform on impacting threats. The Threat Analysis Reports investigate these threats and provide practical recommendations for protecting against them.
Views: 0…
Raccoon is an info stealer type malware available as malware-as-a-service on underground forums since early 2019. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums.…
Over the last year Mandiant has been tracking UNC3890, a cluster of activity targeting Israeli shipping, government, energy and healthcare organizations via social engineering lures and a potential watering hole. Mandiant assesses with moderate confidence this actor is linked to Iran, which is notable given the strong focus on shipping and the ongoing naval conflict between Iran and Israel.…
During a routine threat-hunting exercise, Cyble Research Labs came across a new malware bot named “MikuBot” in a cyber-crime forum. Mikubot is a malicious bot that steals sensitive data and launches hidden VNC sessions that allow the TA (Threat Actor) to access the victim’s machine remotely, spread through USB, and download and execute other malware.…
During a routine threat hunting exercise, Cyble Research Labs (CRL) came across a Twitter post wherein researchers mentioned a URL that hosts a Windows executable payload with the name systemupdate.exe. The researcher in the Twitter post claims this Windows executable is a variant of Typhon stealer malware delivered via a crafted .lnk…
On July 7, 2022, the CISA published an alert, entitled, “North Korean State-Sponsored Cyber Actors Use Maui Ransomware To Target the Healthcare and Public Health Sector,” related to a Stairwell report, “Maui Ransomware.” Later, the Department of Justice announced that they had effectively clawed back $500,000 in ransom payments to the group, partly thanks to new legislation.…
日本語 (Japanese)
Update HistoryDate Description of UpdatesAug. 10th 2022Adding clarifying details on activity involving active directory.Aug. 10th 2022Update made to the Cisco Response and Recommendations section related to MFA. Executive summaryOn May 24, 2022, Cisco became aware of a potential compromise.…In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector.
BumbleBee is a malware loader that was first reported by Google Threat Analysis Group in March 2022. Google TAG attributes this malware to an initial access broker (IAB) dubbed EXOTIC LILY, working with the cybercrime group FIN12/WIZARD SPIDER/DEV-0193.…