Ransomware-as-a-Service (RaaS) is a cybercrime business model where operators maintain software, websites, infrastructure, and other features needed to conduct ransomware attacks. Affiliates of the RaaS program conduct the attacks and the profits are then shared between the affiliate and the operator.…
Tag: HUNTING
By Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
tldr: Financially motivated Turkish threat actors appear to be actively targeting MSSQL servers in an effort to deliver MIMIC ransomware payloads .
The Securonix Threat Research team has been monitoring an ongoing threat campaign, RE#TURGENCE which involves the targeting and exploitation of MSSQL database servers to gain initial access.…
This post is also available in: 日本語 (Japanese)
Executive SummaryThis article summarizes the malware families (and groups pushing malware) seen by Unit 42 and shared with the broader threat hunting community through our social channels. Some malware – such as IcedID and DarkGate – came up repeatedly.…
Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App Installer) to distribute malware. In addition to ensuring that customers are protected from observed attacker activity, Microsoft investigated the use of App Installer in these attacks.…
JANUARY 4th, 2024:
On 12/29/2023, version 0.66 of Spreadsheet::ParseExcel was published. This release fixes CVE-2023-7101.
https://metacpan.org/dist/Spreadsheet-ParseExcel/changes
For organizations utilizing Spreadsheet::ParseExcel in their own products or services, we recommend reviewing CVE-2023-7101 and upgrading to the latest version of Spreadsheet::ParseExcel.
DECEMBER 24th, 2023:
In our ongoing investigation, Barracuda has determined that a threat actor has utilized an Arbitrary Code Execution (ACE) vulnerability within a third party library, Spreadsheet::ParseExcel, to deploy a specially crafted Excel email attachment to target a limited number of ESG devices.…
The United States Postal Service (USPS) has taken center stage as this season’s phishing craze. Since July, there has been a remarkable increase in SMS phishing attacks, often called smishing, fueled by the availability of a toolkit on the dark market. The attacks have impacted all forms of text messaging, from iMessage to Android, and all major carriers.…
Earlier this year, Mandiant’s Managed Defense threat hunting team identified an UNC2975 malicious advertising (“malvertising”) campaign presented to users in sponsored search engine results and social media posts, consistent with activity reported in From DarkGate to DanaBot. This campaign dates back to at least June 19, 2023, and has abused search engine traffic and leveraged malicious advertisements to affect multiple organizations, which resulted in the delivery of the DANABOT and DARKGATE backdoors.…
In November 2023, NSFOCUS Global Threat Hunting System detected that a type of elf file was being widely distributed and accompanied by a large amount of suspected encrypted outbound communication traffic. However, the detection rate of mainstream antivirus engines on this file was close to zero, which aroused our curiosity.…
Cryptocurrency-based crime has metastasized into many forms. Because of the ease with which cryptocurrency ignores borders and enables multinational crime rings to quickly obtain and launder funds, and because of widespread confusion about how cryptocurrency functions, a wide range of confidence scams have focused on convincing victims to convert their personal savings to crypto—and then separate them from it.…
This post is also available in: 日本語 (Japanese)
Executive SummaryMalicious actors often acquire a large number of domain names (called stockpiled domains) at the same time or set up their infrastructure in an automated fashion. They do so, for example, by creating DNS settings and certificates for these domains using scripts.…
Analyzing AsyncRAT’s Code Injection into Aspnet_Compiler.exe Across Multiple Incident Response Cases
This blog entry delves into MxDR’s unraveling of the AsyncRAT infection chain across multiple cases, shedding light on the misuse of aspnet_compiler.exe, a legitimate Microsoft process originally designed for precompiling ASP.NET web applications.
During our recent investigations, the Trend Micro Managed XDR (MxDR) team handled various cases involving AsyncRAT, a Remote Access Tool (RAT) with multiple capabilities, such as keylogging and remote desktop control, that make it a substantial threat to victims.…
During the past month, we have observed an increase in the number of malicious ads on Google searches for “Zoom”, the popular piece of video conferencing software. Threat actors have been alternating between different keywords for software downloads such as “Advanced IP Scanner” or “WinSCP” normally geared towards IT administrators.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. We will discuss a set of tools used in the course of the attacks that reveal clues about the threat actors’ activity.…
In the ever-evolving landscape of cybersecurity threats, one name that consistently surfaces as a force to be reckoned with is “PlugX.” This covert and insidious malware has left a trail of digital intrigue, combining advanced features with a knack for eluding detection. Its history is interwoven with cyber espionage, targeted attacks, and a continuous cat-and-mouse game with security experts (1)(2).…
Cybereason issues Threat Alerts to inform customers of emerging impacting threats. The Cybereason Incident Response (IR) team documented such critical attack scenarios, which started from a GootLoader infection to ultimately deploy more capabilities. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.…
By Securonix Threat Research: D.Iuzvyk, T.Peck, O.Kolesnikov
tl;drThreat actors working as part of DB#JAMMER attack campaigns are compromising exposed MSSQL databases using brute force attacks and appear to be well tooled and ready to deliver ransomware and Cobalt Strike payloads.
In an interesting attack campaign, the Securonix Threat Research team has identified threat actors targeting exposed Microsoft SQL (MSSQL) services using brute force attacks.…
In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and Babuk ransomware.
While other reports point to malware downloads as initial access, in this report the threat actors gained access via a MSSQL brute force attack.…
This post is a continuation of “Malware Unpacking With Hardware Breakpoints”.
Here we will be utilising Ghidra to locate the shellcode, analyse the decryption logic and obtain the final decrypted content using Cyberchef.
Locating the Shellcode Decryption Function In GhidraAt the point where the hardware breakpoint was first triggered, the primary executable was likely in the middle of the decryption function.…
More and more people nowadays prefer to buy goods online. And why not? It’s convenient, goods will be delivered to your doorstep, and if you choose one of many online marketplaces, it’s even possible to save some money. Sadly, scammers abuse this, targeting these services and their customers for the scammer’s benefit.…