Key TakeawaysCyble Research and Intelligence Labs (CRIL) has discovered a new Advanced Persistent Threat (APT) campaign focusing on luring unsuspecting victims through phishing websites mimicking well-known software applications.
In this campaign, a phishing website was observed masquerading as OpenVPN software tailored for Chinese users and serves as a host to deliver the malicious payload.…
Read More Tag: INITIAL ACCESS
Летом 2023 года в ходе исследования инцидента в одной из российских организаций мы обнаружили ряд вредоносных программ, нацеленных на кражу данных. Аналогичные программы, по данным Kaspersky Threat Intelligence, были найдены еще в нескольких государственных и индустриальных организациях РФ, поэтому мы можем предположить, что кража данных из организаций, работающих в данных секторах, была основной целью злоумышленников.…
Recent postsHomeMalware Analysis
Unpacking the Use of Steganography in Recent Malware Attacks
Read More UPD: The section “Additional tasks” has been updated to include a new November 2023 steganography campaign.
Malware delivery techniques are always evolving to bypass security measures. Gone are the days when a scammer could simply send an executable file as an email attachment — today, it simply won’t get past email filters. …
Threat hunting encompasses a range of techniques and approaches aimed at discovering anomalies, threats, and risks associated with attacker activities. In the early days, log review by diligent system administrators was how these anomalies were detected, usually after the fact. This evolved into more structured methodologies created by security experts that attempted to identify these activities in real time.…
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Blockchain, Botnets, Hexadecimal IP notation, Infostealers, and Ransomware. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure…
By Ernesto Fernández Provecho and David Pastor Sanz (Threatray) · October 16, 2023
Discord is the first choice for gamers when they want to chat with some friends while playing an online computer game. Moreover, it is also a major choice for users that simply want to communicate with their friends and family.…
Key TakeawaysA Threat Actor (TA) was observed using a Tor Browser phishing website to target Italian-speaking users.
The executable, downloaded from the phishing site, is a .Net binary obfuscated with SmartAssembly. It acts as a dropper, deploying both a legitimate Tor Installer and the malicious “Pure Clipper” payload.…
Read More The Iranian Crambus espionage group (aka OilRig, APT34) staged an eight-month-long intrusion against a government in the Middle East between February and September 2023. During the compromise, the attackers stole files and passwords and, in one case, installed a PowerShell backdoor (dubbed PowerExchange) that was used to monitor incoming mails sent from an Exchange Server in order to execute commands sent by the attackers in the form of emails, and surreptitiously forwarded results to the attackers.…
Since early October 2023, Microsoft has observed two North Korean nation-state threat actors – Diamond Sleet and Onyx Sleet – exploiting CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions of JetBrains TeamCity server. TeamCity is a continuous integration/continuous deployment (CI/CD) application used by organizations for DevOps and other software development activities.…
This post is also available in: 日本語 (Japanese)
Executive SummaryWe recently detected a new campaign from the XorDDoS Trojan that led us to conduct an in-depth investigation that unveiled concealed network infrastructure that carries a large amount of command and control (C2) traffic. When we compared the most recent wave of XorDDoS attacks with a campaign from 2022, we found the only difference between the campaigns was in the configuration of the C2 hosts.…
Kimsuky, a threat group known to be supported by North Korea, has been active since 2013. At first, they attacked North Korea-related research institutes in South Korea before attacking a South Korean energy agency in 2014. Other countries have also become targets of their attack since 2017. [1]…
Updates
Nov. 02: Identified a third version of the BadCandy implant. Added expected response from the new version of the implant against one of the HTTP requests used to check for infected device.
Nov. 1: Observed increase in exploitation attempts since the publication of the proofs-of-concept (POCs) of the exploits involved.…
A previously unknown advanced persistent threat (APT) group used custom malware and multiple publicly available tools to target a number of organizations in the manufacturing, IT, and biomedical sectors in Taiwan.
A government agency located in the Pacific Islands, as well as organizations in Vietnam and the U.S.,…
In September 2023, automation and manufacturing company Johnson Controls was targeted in a ransomware attack where threat actors used Dark Angels ransomware to lock the company’s VMWare ESXi servers. SentinelOne has analyzed the binary related to this attack and found that it has considerable overlap with RagnarLocker’s ESXi version.…
SUMMARY
Read More The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts.…
Recent Attacks showcase AgentTesla spreading via CHM and PDF Files
Key TakeawaysThis analysis emphasizes an interesting infection pathway to disseminate AgentTesla, a well-known malware strain.
The infection is initiated via a spam email containing a CHM file, which, upon execution, fetches a PowerShell script to start the AgentTesla infection on the victim’s system.…
Read More
Overview1. Analysis of Volgmer Backdoor…. 1.1. Initial Version of Volgmer…….. 1.1.1. Analysis of Volgmer Dropper…….. 1.1.2. Analysis of Volgmer Backdoor…. 1.2. Later Version of Volgmer…….. 1.2.1. Analysis of Volgmer Backdoor2. Analysis of Scout Downloader…. 2.1. Droppers (Volgmer, Scout)…. 2.2. Analysis of Scout Downloader…….. 2.2.1. Scout Downloader v1……..…
Read More
Introduction
Read More In the last few months, Check Point Research has been tracking “Stayin’ Alive”, an ongoing campaign that has been active since at least 2021. The campaign operates in Asia, primarily targeting the Telecom industry, as well as government organizations.
The “Stayin’ Alive” campaign consists of mostly downloaders and loaders, some of which are used as an initial infection vector against high-profile Asian organizations.…
Recent postsHomeMalware Analysis
Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough
Lena aka LambdaMamba
Read More I am a Cybersecurity Analyst, Researcher, and ANY.RUN Ambassador. My passions include investigations, experimentations, gaming, writing, and drawing. I also like playing around with hardware, operating systems, and FPGAs. I enjoy assembling things as well as disassembling things!…