By Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov

tldr: Financially motivated Turkish threat actors appear to be actively targeting MSSQL servers in an effort to deliver MIMIC ransomware payloads .

The Securonix Threat Research team has been monitoring an ongoing threat campaign, RE#TURGENCE which involves the targeting and exploitation of MSSQL database servers to gain initial access.…

Read More

Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App Installer) to distribute malware. In addition to ensuring that customers are protected from observed attacker activity, Microsoft investigated the use of App Installer in these attacks.…

Read More

JANUARY 4th, 2024:

On 12/29/2023, version 0.66 of  Spreadsheet::ParseExcel was published. This release fixes CVE-2023-7101.

https://metacpan.org/dist/Spreadsheet-ParseExcel/changes

For organizations utilizing Spreadsheet::ParseExcel in their own products or services, we recommend reviewing CVE-2023-7101 and upgrading to the latest version of Spreadsheet::ParseExcel.

DECEMBER 24th, 2023:

In our ongoing investigation, Barracuda has determined that a threat actor has utilized an Arbitrary Code Execution (ACE) vulnerability within a third party library, Spreadsheet::ParseExcel, to deploy a specially crafted Excel email attachment to target a limited number of ESG devices.…

Read More
Executive Summary

The United States Postal Service (USPS) has taken center stage as this season’s phishing craze. Since July, there has been a remarkable increase in SMS phishing attacks, often called smishing, fueled by the availability of a toolkit on the dark market. The attacks have impacted all forms of text messaging, from iMessage to Android, and all major carriers.…

Read More

Earlier this year, Mandiant’s Managed Defense threat hunting team identified an UNC2975 malicious advertising (“malvertising”) campaign presented to users in sponsored search engine results and social media posts, consistent with activity reported in From DarkGate to DanaBot. This campaign dates back to at least June 19, 2023, and has abused search engine traffic and leveraged malicious advertisements to affect multiple organizations, which resulted in the delivery of the DANABOT and DARKGATE backdoors.…

Read More
I. Background of xorbot

In November 2023, NSFOCUS Global Threat Hunting System detected that a type of elf file was being widely distributed and accompanied by a large amount of suspected encrypted outbound communication traffic. However, the detection rate of mainstream antivirus engines on this file was close to zero, which aroused our curiosity.…

Read More

Cryptocurrency-based crime has metastasized into many forms. Because of the ease with which cryptocurrency ignores borders and enables multinational crime rings to quickly obtain and launder funds, and because of widespread confusion about how cryptocurrency functions, a wide range of confidence scams have focused on convincing victims to convert their personal savings to crypto—and then separate them from it.…

Read More

This blog entry delves into MxDR’s unraveling of the AsyncRAT infection chain across multiple cases, shedding light on the misuse of aspnet_compiler.exe, a legitimate Microsoft process originally designed for precompiling ASP.NET web applications.

During our recent investigations, the Trend Micro Managed XDR (MxDR) team handled various cases involving AsyncRAT, a Remote Access Tool (RAT) with multiple capabilities, such as keylogging and remote desktop control, that make it a substantial threat to victims.…

Read More

In the ever-evolving landscape of cybersecurity threats, one name that consistently surfaces as a force to be reckoned with is “PlugX.” This covert and insidious malware has left a trail of digital intrigue, combining advanced features with a knack for eluding detection. Its history is interwoven with cyber espionage, targeted attacks, and a continuous cat-and-mouse game with security experts (1)(2).…

Read More

Cybereason issues Threat Alerts to inform customers of emerging impacting threats. The Cybereason Incident Response (IR) team documented such critical attack scenarios, which started from a GootLoader infection to ultimately deploy more capabilities. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.…

Read More

By Securonix Threat Research: D.Iuzvyk, T.Peck, O.Kolesnikov

tl;dr

Threat actors working as part of DB#JAMMER attack campaigns are compromising exposed MSSQL databases using brute force attacks and appear to be well tooled and ready to deliver ransomware and Cobalt Strike payloads.

In an interesting attack campaign, the Securonix Threat Research team has identified threat actors targeting exposed Microsoft SQL (MSSQL) services using brute force attacks.…

Read More

This post is a continuation of “Malware Unpacking With Hardware Breakpoints”.

Here we will be utilising Ghidra to locate the shellcode, analyse the decryption logic and obtain the final decrypted content using Cyberchef.

Locating the Shellcode Decryption Function In Ghidra

At the point where the hardware breakpoint was first triggered, the primary executable was likely in the middle of the decryption function.…

Read More
Key FindingsCheck Point Research is actively tracking the evolution of SysJoker, a previously publicly unattributed multi-platform backdoor, which we asses was utilized by a Hamas-affiliated APT to target Israel. Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar functionalities.…
Read More