As Russia’s invasion of Ukraine continues, new wiper malware has surfaced attacking Ukrainian infrastructure. Caddywiper was first detected on March 14, 2022. It destroys user data, partitions information from attached drives, and has been spotted on several dozen systems in a limited number of organizations. CaddyWiper has been deployed via GPO, suggesting the attackers had initially compromised the target’s Active Directory server.…
Tag: IMPACT
In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam campaigns and has been widely used as an initial access vector in multiple ransomware intrusions.…
The Morphisec Labs team has conducted research on the new Mars infostealer. Mars is based on the older Oski Stealer and was first discovered in June 2021. The new Mars is available for sale on several underground forums and is reported to be under constant development.…
Geopolitical tensions often make headlines and present a golden opportunity for threat actors to exploit the situation, especially those targeting high-profile victims. In the past month while the Russian invasion of Ukraine was unfolding, Check Point Research (CPR) has observed advanced persistent threat (APT) groups around the world launching new campaigns, or quickly adapting ongoing ones to target victims with spear-phishing emails using the war as a lure.…
By Securonix Threat Labs, Threat Research
IntroductionThe Securonix Threat Research team has identified a currently unpatched zero-day vulnerability in Spring Core, a widely used Java-based platform with cross platform support. Early details claim that the bug would allow full remote code execution (RCE) to affected systems.…
Morphisec Labs has observed a new wave of JSSLoader infections this year. We’ve tracked JSSLoader activity since December 2020 and published a thorough report on the Russian criminal hacking group FIN7’s JSSLoader: The Evolution of the FIN7 JSSLoader. JSSLoader is a small, very capable .NET remote access trojan (RAT).…
Key Takeaways: An in-depth analysis of Midas and trends across other Thanos ransomware variants reveals how ransomware groups shifted tactics in 2021 to:
lower sunk costs by using RaaS builders to reduce development time increase payouts with double extortion tactics by using their own data leak sites extend the length and effectiveness of campaigns to get the highest investment returns by updating payloads and/or rebranding their own ransomware groupAdvertised on the darkweb for Ransomware-as-a-Service (RaaS), Thanos ransomware was first identified in February 2020.…
A Cobalt Strike Cybercrime Syndicate and the Ransomware Hackers’ Favorite Weapon
On March 9, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Secret Service issued an updated alert about the Conti ransomware group, encouraging organizations to review their advisory and apply the recommended mitigations.…
The post-pandemic world has seen cryptocurrencies and blockchain products in general catapult in valuation and adoption. “Web3”, “DeFi”, and “NFT” have become household terms and the sector is growing so fast that people and businesses are pouring in with dollar signs in their eyes and high hopes to get a piece of the pie.…
Information stealing malware is on the rise. Cyble Research Labs recently discovered a new malware dubbed “AvD crypto stealer” on a cybercrime forum. Upon further investigation, however, we observed that this does not function as a Crypto Stealer. This is, in fact, a disguised variant of well-known Clipper malware that can read and edit any text copied by the victim i.e.…
In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities and tasks was remarkably similar to that observed in our previous report, “Exchange Exploit Leads to Domain Wide Ransomware“.…
This report discusses the technical capabilities of this Cyclops Blink malware variant that targets ASUS routers and includes a list of more than 150 current and historical command-and-control (C&C) servers of the Cyclops Blink botnet.
With additional insights from Philippe Z Lin
Note: This article has been updated on March 17, 2022, 2:00 a.m.…
Dragos has observed consistent network communication between Emotet Command and Control (C2) servers and numerous auto manufacturing companies. These Emotet servers are suspected to be controlled by the Conti ransomware group.
At this stage, Dragos has not yet observed any confirmed initial access methods being utilized and does not have any evidence of ransomware encryption being initiated.…
Pandora ransomware came into the spotlight in March 2022 after targeting some high-profile victims on its leak site. The ransomware group announced its first victim on 21 Feb 2022 and has posted around five victims to date.
Figure 1: Pandora ransomware data leak siteDuring a routine threat hunting exercise, Cyble Research Labs came across the sample for this ransomware.…
By Securonix Threat Labs, Threat Research: Oleg Kolesnikov, Den Iuzvyk, and Tim Peck
IntroductionOur researchers have identified EnemyBot, a brand new Linux-based botnet. At first glance and by analyzing the initial infection, it appears to cover a wide range of devices and platforms. This report covers technical details including its origin and functionality.…
CryptBot is back. A new and improved version of the malicious infostealer has been unleashed via compromised pirate sites, which appear to offer “cracked” versions of popular software and video games.
Making news most recently for an outbreak in early 2022, the malware first appeared in the wild in 2019, and it is now actively changing its attack and distribution methods.…
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.…
Summary
Read More
The criminal group behind the Arkei information stealer appears to be interested in more than just picking our pockets. While cryptocurrency remains a primary target for the malware, which has recently been tied to use of the stealthy SmokeLoader downloader, a new analysis of Arkei shows that it has now expanded its reach to collect multifactor (MFA) authentication data as well.…
Summary
Read More
The ShadowPad advanced modular remote access trojan (RAT) has been deployed by the Chinese government-sponsored BRONZE ATLAS threat group since at least 2017. A growing list of other Chinese threat groups have deployed it globally since 2019 in attacks against organizations in various industry verticals.…