In the ever-evolving landscape of cybersecurity threats, one name that consistently surfaces as a force to be reckoned with is “PlugX.” This covert and insidious malware has left a trail of digital intrigue, combining advanced features with a knack for eluding detection. Its history is interwoven with cyber espionage, targeted attacks, and a continuous cat-and-mouse game with security experts (1)(2).…
Tag: EXFILTRATION
The AhnLab Security Emergency response Center (ASEC) analysis team previously posted about AsyncRAT being distributed via files with the .chm extension. [1] It was recently discovered that this type of AsyncRAT malware is now being distributed in WSF script format. The WSF file was found to be distributed in a compressed file (.zip)…
Published On : 2023-12-01
EXECUTIVE SUMMARYAt Cyfirma, our dedication lies in providing current insights into the predominant threats and strategies employed by malicious entities targeting organizations and individuals. This comprehensive analysis focuses on the information stealer DanaBot and presents a thorough examination of its functionality and capabilities.…
Cybereason issues Threat Alerts to inform customers of emerging impacting threats. The Cybereason Incident Response (IR) team documented such critical attack scenarios, which started from a GootLoader infection to ultimately deploy more capabilities. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.…
Targeted attacks
Unknown threat actor targets power generator with DroxiDat and Cobalt Strike
Read More Earlier this year, we reported on a new variant of SystemBC called DroxiDat that was deployed against a critical infrastructure target in South Africa. This proxy-capable backdoor was deployed alongside Cobalt Strike beacons.…
Summary
BlackBerry has uncovered a previously unknown threat actor targeting an aerospace organization in the United States, with the apparent goal of conducting commercial and competitive cyber espionage. The BlackBerry Threat Research and Intelligence team is tracking this threat actor as AeroBlade. The actor used spear-phishing as a delivery mechanism: A weaponized document, sent as an email attachment, contains an embedded remote template injection technique and a malicious VBA macro code, to deliver the next stage to the final payload execution.…
By Securonix Threat Research: D.Iuzvyk, T.Peck, O.Kolesnikov
tl;drThreat actors working as part of DB#JAMMER attack campaigns are compromising exposed MSSQL databases using brute force attacks and appear to be well tooled and ready to deliver ransomware and Cobalt Strike payloads.
In an interesting attack campaign, the Securonix Threat Research team has identified threat actors targeting exposed Microsoft SQL (MSSQL) services using brute force attacks.…
By Max Kersten · November 29, 2023 This blog was also written by Alexandre Mundo
First discovered in early 2023, Akira ransomware seemed to be just another ransomware family that entered the market. Its continued activity and numerous victims are our main motivators to investigate the malware’s inner workings to empower blue teams to create additional defensive rules outside of their already in-place security.…
Information Stealers are a pervasive threat and are capable of providing threat actors with a rich source of sensitive data.
Recently, we came across this tweet that the Serpent Stealer is on sale on the dark web. A .NET based malware, this has the ability to not only acquire sensitive information from the most popular online browsers and applications but also has the capability to exfiltrate passwords. …
SUMMARY
Read More The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier).…
Key TakeawaysTrickMo Banking Trojan, initially identified in September 2019, showed a malware employs an Overlay attack as the main method to harvest credentials from target applications.Overview
Read More The TrickMo Banking Trojan was identified in September 2019 and was disseminated through the TrickBot malware. In March 2020, IBM researchers analyzed a newly discovered Android Banking Trojan known as “TrickMo.”…
In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and Babuk ransomware.
While other reports point to malware downloads as initial access, in this report the threat actors gained access via a MSSQL brute force attack.…
This article aims to share timely and relevant information about a rapidly developing campaign under investigation. We are publishing it as early as possible for the benefit of the cybersecurity community and we will update this blog with more details as our investigation continues.
Key TakeawaysExploitation of Qlik Sense application in the observed campaign.…
Key TakeawaysCyble Research and Intelligence Labs (CRIL) came across a ZIP archive file on VirusTotal with minimal detection. Further analysis of this file revealed the presence of a new Java-based Remote Access Trojan (RAT) embedded within the same archive.
The ZIP archive includes a shortcut (.lnk)…
Read More During the various phases of an attack, it’s not uncommon for threat actors to use “living off the land” binaries (LOLBins) or scripts and libraries (LOLBAS). Doing so means that the threat actor has fewer tools to bring with them, and it also reduces their chances of being detected because they’re hiding amongst seemingly normal activity within the environment. …
We detail the modular framework of malicious Chrome extensions that consist of various highly obfuscated components that leverage Google Chrome API to monitor, intercept, and exfiltrate victim data.
Our investigations on potential security threats uncovered a malicious Google Chrome extension that we named “ParaSiteSnatcher.” The ParaSiteSnatcher framework allows threat actors to monitor, manipulate, and exfiltrate highly sensitive information from multiple sources.…
Recent postsHomeMalware Analysis
RisePro Malware Analysis: Exploring C2 Communication of a New Version
Read More RisePro is a malware-as-a-service info-stealer, first identified in 2022. Recently, we’ve detected a spike in it’s activity and decided to conduct an investigation, which led to interesting findings.
RisePro is a well-documented malware, but we quickly realized that the network traffic patterns of our samples did not match the existing literature.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers recently discovered two separate campaigns targeting job-seeking activities linked to state-sponsored threat actors associated with the Democratic People’s Republic of Korea (DPRK), commonly known as North Korea. We call the first campaign “Contagious Interview,” where threat actors pose as employers (often anonymously or with vague identities) to lure software developers into installing malware through the interview process.…
Key TakeawaysCyble Research and Intelligence Labs (CRIL) has recently identified a website called Persian Remote World engaged in the sale of a variety of malicious tools.
Persian Remote World provides an extensive range of malicious tools, including Remote Access Trojans (RATs), loaders, and crypters.
The site developers offer these malicious tools under different subscription models at varying prices.…
Read More
2023-11-22 (WEDNESDAY) – AGENTTESLA INFECTION WITH FTP DATA EXFIL
Read More NOTICE:
Of note, the zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the “about” page of this website.ASSOCIATED FILES:
1.9 kB (1,876 bytes) 7.5 kB (7,516 bytes) 8.6 MB (8,564,400 bytes) 7.6 MB (7,608,996 bytes)2023-11-22 (WEDNESDAY): AGENTTESLA INFECTION WITH FTP DATA EXFILNOTES:- This was from a Spanish language email sent from a mail server based in Mexico.…