By Aleksandar Milenkoski, Collin Farr, and Joey Chen, in collaboration with QGroup
Executive Summary A new threat cluster we track as WIP26 has been targeting telecommunication providers in the Middle East. We assess it is likely that WIP26 is espionage-related. WIP26 relies heavily on public Cloud infrastructure in an attempt to evade detection by making malicious traffic look legitimate.…Tag: EXFILTRATION
Sophisticated Malware Employs Multi-Pronged Data Exfiltration
Read More
DarkCloud is an Information Stealer Malware. It was first spotted by researchers in 2022. Such malware is designed to collect sensitive information from a victim’s computer or mobile device. Information stealers can be used to gather a variety of data, including passwords, credit card numbers, social security numbers, and other personal or financial information.…
Microsoft Office documents are used worldwide by both corporates and home-users alike. It’s different office versions, whether licensed or unlicensed offers users an easy way to create and modify files. However, this software is also susceptible to cyberattacks.
Cybercriminals often take advantage of its vulnerability and use VBA (Visual Basic Application) macros as entry points to gain access to targeted systems and devices.…
Executive Summary
On January 17, the BlackCat ransomware group added an entry for an electronic health record (EHR) vendor to its extortion site., Bbut, as of January 21, the vendor’s entry no longer appeared there. Following the claim, the SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team investigated the incident.…ASEC(AhnLab Security Emergengy response Center) 분석팀은 지난 1월 RedEyes 공격 그룹(also known as APT37, ScarCruft)이 한글 EPS(Encapulated PostScript) 취약점(CVE-2017-8291)을 통해 악성코드를 유포하는 정황을 확인하였다. 본 보고서에서는 RedEyes 그룹의 최신 국내 활동에 대해 공유한다.
1. 개요RedEyes 그룹은 기업이 아닌 특정 개인을 대상으로 개인 PC 정보 뿐만 아니라 휴대전화 데이터까지 탈취하는 것으로 알려져있다.…
Executive Summary
On January 3, local media reported that a major U.S. city’s housing authority had suffered a ransomware attack. The LockBit ransomware group, which has made false claims in the past, took responsibility for the incident. As of this publication, the housing authority has announced a disruption, but has not elaborated on the nature of the event.…
0. Overview
Read More
This report is a continuation of the “Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies” post that was uploaded on August 16, 2022 and follows the group’s activities since that post.
This group has always relied on open-source tools and lacked any distinct characteristics to profile them due to the lack of PDB information.…
SUMMARY
Read More
Note: This Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and various ransomware threat actors. These #StopRansomware advisories detail historically and recently observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…
Summary
A previously unknown threat actor is targeting organizations in Pakistan using a complex payload delivery mechanism. The threat actor abuses the upcoming Pakistan International Maritime Expo & Conference (PIMEC-2023) as a lure to trick their victims.
The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23.…
In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command and control server (C2). Upon performing initial discovery and user enumeration, the threat actor used AutoHotkey to launch a keylogger.…
Introduction
Read More
Zscaler’s ThreatLabz research team diligently monitors and tracks active threat campaigns globally to rapidly detect new developments and proactively safeguard Zscaler customers. The seven case studies that follow provide an in-depth analysis of the AveMaria infostealer attack chain and how it has been shifting over the past six months.…
A Botnet Capable of Performing DDoS, Ransomware, and Bruteforce Attacks
Read More
Since 2016, Mirai has been an active botnet that targets networking devices running Linux with vulnerabilities. The botnet takes advantage of these vulnerabilities in devices such as routers, IP cameras, and IoT devices to exploit them and gain complete control over the machine.…
Threat Actors Ramp Up OneNote Attachment Usage in their Attacks
Read More
Threat Actors (TAs) are using spam emails to trick individuals into downloading malware, such as Remote Access Trojans (RATs) and Stealers, to infect their devices and steal sensitive information. Cyble Research & Intelligence Labs (CRIL) closely monitors different malware families and routinely publishes informative blogs to educate our readers.…
Threat Actor Leveraging Microsoft OneNote To infect Users
Read More
Threat Actors (TAs) continuously adopt new tactics for infecting users for several reasons, including avoiding detection by anti-virus solutions, increasing the likelihood of successful infections, and seeking the challenge of creating new methods of infecting victims.
Recently, several malware families have been spotted using OneNote attachments in their spam campaigns.…
We analyze an infection campaign targeting organizations in the Middle East for cyberespionage in December 2022 using a new backdoor malware. The campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers.
On December 2022, we identified a suspicious executable (detected by Trend Micro as Trojan.MSIL.REDCAP.AD)…
Evasive Malware Targeting Remote Desktop Files
Read More
Information stealers are malware designed to steal sensitive information from infected computers, such as login credentials, financial data, and personal information. They typically do this by searching for specific types of files and data on the infected computer and then exfiltrating that information to a remote server controlled by the attackers.…
Resecurity® has identified a relatively new ransomware family called “Nevada Ransomware”. The actors behind this new project have an affiliate platform first introduced on the RAMP underground community, which is known for initial access brokers (IABs) and other cybercriminal actors and ransomware groups. On February 1st (2023), the operators behind the project updated and significantly improved the functionality of the locker for Windows and Linux/ESXi, and distributed new builds for their affiliates which have been analyzed by our malware intelligence team.…
Uncovering the Secrets of the Command and Control Panel
Read More
A new trend has been observed among Threat Actors (TAs) of using Golang for their information stealer malware. Golang, also known as Go, is a programming language developed by Google known for its simplicity, efficiency, and performance.…
Summary
Emotet, a Trojan that is primarily spread through spam emails, has been a prevalent issue since its first appearance in 2014. With a network made up of multiple botnets, denoted as “epochs” by security research team Cryptolaemus, Emotet has continuously sent out spam emails in campaigns designed to infect users via phishing attacks.…
By Aleksandar Milenkoski, Joey Chen, and Amitai Ben Shushan Ehrlich
Executive Summary SentinelLabs tracks a cluster of recent opportunistic attacks against organizations in East Asia as DragonSpark. SentinelLabs assesses it is highly likely that a Chinese-speaking actor is behind the DragonSpark attacks. The attacks provide evidence that Chinese-speaking threat actors are adopting the little known open source tool SparkRAT.…