SapphireStealer, an open-source information stealer, has been observed across public malware repositories with increasing frequency since its initial public release in December 2022.
Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion.…
Read More Tag: EXFILTRATION
In this entry, we discuss how a threat actor abuses paid Facebook promotions featuring LLMs to spread malicious code, with the goal of installing a malicious browser add-on and stealing victims’ credentials.
Large language models (LLMs) are currently a hot topic nowadays, drawing much attention as the emergence of general artificial intelligence seems to near.…
On August 29, 2023, U.S. law enforcement announced a multinational operation that disrupted the Qakbot botnet (also known as Qbot) and associated infrastructure. Secureworks® Counter Threat Unit™ (CTU) researchers have long maintained active monitoring of the botnet and detected the disruption activity on August 25.
During the takedown, law enforcement identified over 700,000 infected computers and seized more than $8.6 million USD in illicit profits.…
On the morning of August 24, Phylum’s automated risk detection system identified a suspicious package published to npm called “emails-helper.” A deeper investigation revealed that this package was part of an intricate attack involving Base64-encoded and encrypted binaries. The scheme fetches encryption keys from a DNS TXT record hosted on a remote server.…
Summary
Microsoft has identified a nation-state activity group tracked as Flax Typhoon, based in China, that is targeting dozens of organizations in Taiwan with the likely intention of performing espionage. Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks.…
Published On : 2023-08-23
EXECUTIVE SUMMARYAt Cyfirma, we are dedicated to providing you with up-to-date information on the most prevalent threats and tactics used by malicious actors to target both organizations and individuals. In this comprehensive analysis, we delve into an ongoing campaign orchestrated by the Remcos Remote Access Trojan (RAT).…
By Trellix · August 17, 2023 This story was also written by Phelix Oluoch
Executive SummaryScattered Spider, also referred to as UNC3944, Scatter Swine, and Muddled Libra, is a financially motivated threat actor group that has been active since May 2022. Scattered Spider has largely been observed targeting telecommunications and Business Process Outsourcing (BPO) organizations.…
In this blogpost, ESET researchers take a look at Spacecolon, a small toolset used to deploy variants of the Scarab ransomware to victims all over the world. It probably finds its way into victim organizations by its operators compromising vulnerable web servers or via brute forcing RDP credentials.…
Web servers are vulnerable to attacks because they are publicly accessible to a wide range of users for the purpose of delivering web services. This accessibility makes them a prime target for threat actors. AhnLab Security Emergency response Center (ASEC) is monitoring attacks targeting vulnerable web servers that have not been patched or are poorly managed.…
Introduction:
Read More First observed in the middle of 2021, ‘Mallox’ Ransomware has emerged as a formidable threat in the cyber crime landscape. With its ability to encrypt all volumes, including local and network shared drives, it gradually spreads its control over the system, leaving victims in a state of digital despair.…
ESET Research
ESET researchers have observed a new phishing campaign targeting users of the Zimbra Collaboration email server.
Viktor Šperka
17 Aug 2023 • , 5 min. read
ESET researchers have uncovered a mass-spreading phishing campaign, aimed at collecting Zimbra account users’ credentials, active since at least April 2023 and still ongoing.…
Key TakeawaysThe blog delves into a new infection approach to disseminating the SectopRAT final payload.
Providing insight into LummaC stealer and its method of procuring the Amadey bot malware.
The Amadey bot replicates itself to ensure persistence, generating an LNK file within the startup folder directory.…
Read More This post is also available in: 日本語 (Japanese)
Executive SummaryWhile the SugarCRM CVE-2023-22952 zero-day authentication bypass and remote code execution vulnerability might seem like a typical exploit, there’s actually more for defenders to be aware of. Because it’s a web application, if it’s not configured or secured correctly, the infrastructure behind the scenes can allow attackers to increase their impact.…
Introduction
Read More Recently, while tracking global threat activity, the Zscaler ThreatLabz team discovered a new information stealer family called: Statc Stealer. Statc Stealer is a sophisticated malware that infects devices powered by Windows, gains access to computer systems, and steals sensitive information.
In this comprehensive technical blog post, we unravel the intricate workings of Statc Stealer.…
New Insikt Group research examines RedHotel, a Chinese state-sponsored threat activity group that stands out due to its persistence, operational intensity, and global reach. RedHotel’s operations span 17 countries in Asia, Europe, and North America from 2021 to 2023. Its targets encompass academia, aerospace, government, media, telecommunications, and research sectors.…
By Tom Hegel and Aleksandar Milenkoski
Executive SummarySentinelLabs identified an intrusion into the Russian defense industrial base, specifically a missile engineering organization NPO Mashinostroyeniya.Our findings identify two instances of North Korea related compromise of sensitive internal IT infrastructure within this same Russian DIB organization, including a specific email server, alongside use of a Windows backdoor dubbed OpenCarrot.…This is the third part of our research based on an investigation of a series of attacks against industrial organizations in Eastern Europe.
The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems.
In total we have identified over 15 implants and their variants planted by the threat actor(s) in various combinations.…
Key Takeaways
Read More • The blog highlights a new infection technique for distributing STRRAT version 1.6. It involves a spam email with a PDF attachment that, when opened, downloads a zip file containing the malicious JavaScript, which drops STRRAT.• STRRAT version 1.6 employs two string obfuscation techniques: “Zelix KlassMaster (ZKM)” and “Allatori”, making it more challenging for security researchers to analyze and detect the malware.•…
August 09, 2023
Shachar Gritzman, Moshe Avraham, Tim Kromphardt, Jake Gionet and Eilon Bendet
Key TakeawaysOver the last six months, Proofpoint researchers have observed a dramatic surge of over 100% in successful cloud account takeover incidents impacting high-level executives at leading companies. Over 100 organizations were targeted globally, collectively representing 1.5 million employees.…
Key TakeawaysThe blog highlights a new infection chain for distributing AgenTesla RAT. It involves a spam email with a CPL file that, when executed, downloads a PowerShell script that injects AgentTesla malware in exe and MSbuild.exe.
The PowerShell scripts use obfuscated binary strings to hide malicious code.…
Read More