In the ever-evolving landscape of cybersecurity threats, one name that consistently surfaces as a force to be reckoned with is “PlugX.” This covert and insidious malware has left a trail of digital intrigue, combining advanced features with a knack for eluding detection. Its history is interwoven with cyber espionage, targeted attacks, and a continuous cat-and-mouse game with security experts (1)(2).…

Read More

Cybereason issues Threat Alerts to inform customers of emerging impacting threats. The Cybereason Incident Response (IR) team documented such critical attack scenarios, which started from a GootLoader infection to ultimately deploy more capabilities. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.…

Read More

Summary

BlackBerry has uncovered a previously unknown threat actor targeting an aerospace organization in the United States, with the apparent goal of conducting commercial and competitive cyber espionage. The BlackBerry Threat Research and Intelligence team is tracking this threat actor as AeroBlade. The actor used spear-phishing as a delivery mechanism: A weaponized document, sent as an email attachment, contains an embedded remote template injection technique and a malicious VBA macro code, to deliver the next stage to the final payload execution.…

Read More

By Securonix Threat Research: D.Iuzvyk, T.Peck, O.Kolesnikov

tl;dr

Threat actors working as part of DB#JAMMER attack campaigns are compromising exposed MSSQL databases using brute force attacks and appear to be well tooled and ready to deliver ransomware and Cobalt Strike payloads.

In an interesting attack campaign, the Securonix Threat Research team has identified threat actors targeting exposed Microsoft SQL (MSSQL) services using brute force attacks.…

Read More

First discovered in early 2023, Akira ransomware seemed to be just another ransomware family that entered the market. Its continued activity and numerous victims are our main motivators to investigate the malware’s inner workings to empower blue teams to create additional defensive rules outside of their already in-place security.…

Read More

Information Stealers are a pervasive threat and are capable of providing threat actors with a rich source of sensitive data. 

Recently, we came across this tweet that the Serpent Stealer is on sale on the dark web. A .NET based malware, this has the ability to not only acquire sensitive information from the most popular online browsers and applications but also has the capability to exfiltrate  passwords.  …

Read More
SUMMARY

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier).…

Read More
Key TakeawaysTrickMo Banking Trojan, initially identified in September 2019, showed a malware employs an Overlay attack as the main method to harvest credentials from target applications.Overview

The TrickMo Banking Trojan was identified in September 2019 and was disseminated through the TrickBot malware. In March 2020, IBM researchers analyzed a newly discovered Android Banking Trojan known as “TrickMo.”…

Read More

We detail the modular framework of malicious Chrome extensions that consist of various highly obfuscated components that leverage Google Chrome API to monitor, intercept, and exfiltrate victim data.

Our investigations on potential security threats uncovered a malicious Google Chrome extension that we named “ParaSiteSnatcher.” The ParaSiteSnatcher framework allows threat actors to monitor, manipulate, and exfiltrate highly sensitive information from multiple sources.…

Read More
Recent postsHomeMalware Analysis RisePro Malware Analysis: Exploring C2 Communication of a New Version

RisePro is a malware-as-a-service info-stealer, first identified in 2022. Recently, we’ve detected a spike in it’s activity and decided to conduct an investigation, which led to interesting findings. 

RisePro is a well-documented malware, but we quickly realized that the network traffic patterns of our samples did not match the existing literature.…

Read More

This post is also available in: 日本語 (Japanese)

Executive Summary

Unit 42 researchers recently discovered two separate campaigns targeting job-seeking activities linked to state-sponsored threat actors associated with the Democratic People’s Republic of Korea (DPRK), commonly known as North Korea. We call the first campaign “Contagious Interview,” where threat actors pose as employers (often anonymously or with vague identities) to lure software developers into installing malware through the interview process.…

Read More
Key TakeawaysCyble Research and Intelligence Labs (CRIL) has recently identified a website called Persian Remote World engaged in the sale of a variety of malicious tools. Persian Remote World provides an extensive range of malicious tools, including Remote Access Trojans (RATs), loaders, and crypters. The site developers offer these malicious tools under different subscription models at varying prices.…
Read More
2023-11-22 (WEDNESDAY) – AGENTTESLA INFECTION WITH FTP DATA EXFIL

NOTICE:

Of note, the zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the “about” page of this website.

ASSOCIATED FILES:

  1.9 kB   (1,876 bytes)   7.5 kB   (7,516 bytes)   8.6 MB   (8,564,400 bytes)   7.6 MB   (7,608,996 bytes)2023-11-22 (WEDNESDAY): AGENTTESLA INFECTION WITH FTP DATA EXFILNOTES:- This was from a Spanish language email sent from a mail server based in Mexico.…
Read More